Every good web programmer will note that the following contact form markup is probably flawed:
<form>
...
<input type="hidden" name="to" value="support@example.com" />
...
</form>
as it is likely that if the value of the “to” field changes, the message will be sent to the modified address. The problem with this kind of functionality is that it allows a malicious user to send emails from your mail server. More specifically, it can allow spammers to use your benign server to send their spam (and as a side effect, you might be flagged as a spammer yourself).
As this case is pretty obvious, one doesn’t see many real-life uses of it anymore (but careless programmers used it more often in the past until they learned better). However, one can achieve similar goals (spam-wise) by utilizing a common feature in contact forms: the “CC yourself” checkbox.
“CC yourself” is a convention used by some people when mailing, to verify that the email was indeed sent. It has found a place in many contact forms, as people wanted a way to make sure the form indeed works. But contact forms (as well as some mail servers) don’t verify that the email provided as the “from” is indeed owned by whoever fills the form. Combine that with the fact that many contact forms don’t employ CAPTCHAs (to make the form simpler to use), and you’ll get a situation much like the one discussed above.
In the first case there was a usability advantage to the programmer (who could easily re-use the form’s backend for other forms), which can be easily sacrificed for enhanced security. This time it’s worse, as this is a usability feature for the user, which many people believe to be very convenient in contact forms.
I think there are several solutions possible:
- Adding CAPTCHA to the form. This will make life harder for the spammers, but it also hurts the users by raising the bar for filling out the form. Also, nowadays, it is getting harder and harder to find a strong yet easy for humans CAPTCHA.
- Removing the “CC yourself” feature. This hurts the usability of the contact form.
- Separating verified users and unverified users. Keeping the feature for registered users, but at the same time, removing it or adding CAPTCHA for unverified users. This seems like a good trade-off, but it requires more work, and registration is not applicable for all websites.
In my opinion, none of the solutions is perfect. It seems that once again spammers hurt the user experience for everybody else in order to fill our inboxes with unsolicited email.
please, i need to back up my website immediately. Currently, it is not opening. What could be the problem(s)?