Every good web programmer will note that the following contact form markup is probably flawed
<form> ... <input type="hidden" name="to" value="email@example.com" /> ... </form>
as it is likely that if the value of the “to” field changes the message will be sent to the modified address. The problem with this kind of functionality is that it allows a malicious user to send emails from your mail server. More specifically, it can allow spammers to user your benign server t send their spam (and as a side effect you might be flagged as a spammer yourself).
As this case is pretty obvious one doesn’t see many real-life uses of it anymore (but careless programmers used it more often n the past until they learned better). However one can achieve similar goals (spam-wise) by utilizing a common feature in contact forms: the “CC yourself” checkbox.
“CC yourself” is a convention used by some people when mailing, to verify that the email was indeed sent. It had found a place in many contact forms, as people wanted a way to make sure the form indeed works. But contact forms (as well as some mail servers) don’t verify that the email provided as the “from” is indeed owned by whoever fills the form. Combine that with the fact that many contact forms don’t employ CAPTCHAs (to make the form simpler to use), and you’ll get a situation much like the one discussed above.
In the first case there was a usability advantage to the programmer (who could easily re-use the form’s backend for other forms), which can be easily sacrificed for enhanced security. This time it’s worse as this is a usability feature for the user, which many people believe to be very convinient in contact forms.
I think there are several solutions possible:
- Adding CAPTCHA to the form. This will make life for the spammers harder, but it also hurt the users by raising the bar for filling out the form. Also, nowadays, it getting harder and harder to find a strong yet easy for humans CAPTCHA.
- Removing the “CC yourself” feature. this hurts the usability of the contact form.
- Seperating verified users and unverified. Keeping the feature for registered users, but at the same time, removing it or adding CAPTCHA for unverified users. This seems like a good trade-off, but it requires more work and registration is not applicable for all websites.
In my opinion none of the solutions is perfect. It seems that once again spammers hurt the user experience for everybody else in order to fill our inboxes with unsolicited email.