Andreas chose to put the sidebar above the content, which I prefer not to do. Furthermore as the sidebar was a “float” that came before the content, it caused additional inconveniences. E.g. if you had an element with clear: both it would be pushed bellow the sidebar. I’ve patched it a bit in order to fix those issues. You can find my modified version here: variant-whitespace.tar.gz

The following Python functions allow you to build and read these 6 chars URL-safe timestamps:

import base64
import struct
import time
 
def build_timestamp():
    """
    Return a 6 chars url-safe timestamp
    """
    return base64.urlsafe_b64encode(struct.pack("!L",int(time.time())))[:-2]
 
def read_timestamp(t):
    """
    Convert a 6 chars url-safe timestamp back to time
    """
    return struct.unpack("!L",base64.urlsafe_b64decode(t+"=="))[0]

These functions work by translating the timestamp into a 4-byte binary form and then encoding it using a URL-safe version of Base64. And finally we strip the padding, which is neither URL-safe nor necessary (as we know the size of the encoded data).

The result looks something like this:

In [72]: build_timestamp()
Out[72]: 'S9sNOQ'

We got a timestamp in using only 6 URL-safe chars.

<form>
...
    <input type="hidden" name="to" value="support@example.com" />
...
</form>

as it is likely that if the value of the “to” field changes the message will be sent to the modified address. The problem with this kind of functionality is that it allows a malicious user to send emails from your mail server. More specifically, it can allow spammers to user your benign server t send their spam (and as a side effect you might be flagged as a spammer yourself).

As this case is pretty obvious one doesn’t see many real-life uses of it anymore (but careless programmers used it more often n the past until they learned better). However one can achieve similar goals (spam-wise) by utilizing a common feature in contact forms: the “CC yourself” checkbox.


“CC yourself” is a convention used by some people when mailing, to verify that the email was indeed sent. It had found a place in many contact forms, as people wanted a way to make sure the form indeed works. But contact forms (as well as some mail servers) don’t verify that the email provided as the “from” is indeed owned by whoever fills the form. Combine that with the fact that many contact forms don’t employ CAPTCHAs (to make the form simpler to use), and you’ll get a situation much like the one discussed above.

In the first case there was a usability advantage to the programmer (who could easily re-use the form’s backend for other forms), which can be easily sacrificed for enhanced security. This time it’s worse as this is a usability feature for the user, which many people believe to be very convinient in contact forms.

I think there are several solutions possible:

1. Adding CAPTCHA to the form. This will make life for the spammers harder, but it also hurt the users by raising the bar for filling out the form. Also, nowadays, it getting harder and harder to find a strong yet easy for humans CAPTCHA.
2. Removing the “CC yourself” feature. this hurts the usability of the contact form.
3. Seperating verified users and unverified. Keeping the feature for registered users, but at the same time, removing it or adding CAPTCHA for unverified users. This seems like a good trade-off, but it requires more work and registration is not applicable for all websites.

In my opinion none of the solutions is perfect. It seems that once again spammers hurt the user experience for everybody else in order to fill our inboxes with unsolicited email.