We were reviewing one of our clients' sites today. They're going to be moving to our email integration soon – which is a good thing. I'm guessing their websites are probably already blacklisted… here's why…
They have a contact form on their website. It's nice enough, a bunch of fields to send all your personal info to them to sign up for their email initiative. A closer look, though, and it's really simply a tool they've put out for spammers to take advantage of.
<FORM name="form1" method="post"> <INPUT type=hidden value="contact" name="what" /> <INPUT type=hidden value="http://myspamalink.com" name="sitename" /> <INPUT type=hidden value="7" name="site" /> <INPUT type=hidden value="7" name="client_code" /> <INPUT type=hidden value="contact" name="formname" /> <INPUT type=hidden value="firstname.lastname@example.org" name="sendto" /> <INPUT type=hidden value="http://www.somepage.com" name="nextpage" />
Notice the hidden fields where you can input an email address! As a test, I pulled the form, put my email address on it, and put a link in the other hidden field. I clicked submit and a minute later, I had a SPAM email in my inbox!
This is how spammers can continue to send email without worrying about getting blocked. All they need to do is find a form like this on your website and they can script a process that pushes millions of emails through overnight. Who gets blocked? Not the spammer… the company does!
This specific form is on a website of a billion dollar business, not a small business. And there are thousands of these types of insecure forms everywhere on the net. The irony here is that they did it on an ASP page – a page that could have easily done a lookup for email addresses at the server and appended them.
In case you're wondering, of course we've told them!