The Macrosite for News, Analysis and Opinion about the Future of the Internet
Jonathan Hochman

Simple Security Steps to Stop Server Spam

Written by Jonathan Hochman
7/23/2009 7 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Websites offer two vectors for spreading email spam: email addresses and insecure forms. Bad guys and their botnets crawl the Web, looking for both. With email addresses they build lists. With forms they hijack servers to send spam.

Let’s take a look at how you can offer better protection in both areas.

Protect your email addresses. In my experience, when email addresses are hidden, the flood of spam subsides within a few weeks. But completely removing your email addresses can inconvenience legitimate users who may want to contact you. With a simple code trick, you can display addresses to legitimate browsers while hiding them from spam bots.

Start by identifying all pages on your Websites that contain email addresses. Ask your Webmaster to encode every email address in JavaScript. Processing JavaScript takes substantially more sophistication than simply scanning HTML text looking for string@string.tld, the pattern of a typical email address. Modern browsers can handle JavaScript; most spam bots cannot.

JavaScript can generate a clickable email address in a Web page. Be sure never to include whole email addresses in your HTML code. Mildly convoluted JavaScript code, such as assigning pieces of your email address to variables, and then concatenating those variables to produce output, will fool virtually all spam bots. Each Website would ideally use different code to make it harder for spammers to spot patterns.

Secure your forms. Web forms, such as those commonly found on Contact Us pages, are frequently abused by spammers who want to use your server to send mail to victims. Mail header injection via PHP can trick your server into sending spam messages to third parties with a return address pointing back to you.

So if you ever receive Web form submissions full of random nonsense, that’s a sign of trouble. Your server could be contributing to the worldwide flow of spam.

For securing Web forms, I like two strategies that do not use obtrusive Captchas. One method is to scan every form input field for injection attack strings like “bcc:” and “mime-version:”. Bona fide users are highly unlikely to type things like that into a contact form. The second method employs honeypots.

Honeypots can identify spam bots by looking for actions that a human would be smart enough to avoid. In my experience, honeypots are surprisingly effective. To create a honeypot, just add an extra field to your form, and set the CSS property “display:none” on its parent element. You may also want to label the field with a warning like “Spam trap, keep blank” in case a user has a browser that does not support CSS.

When the form is submitted, check if the honeypot field is blank. Spam bots fill out every field on the form, and they generally don’t waste the processing power required to process CSS definitions or natural language. When the honeypot field is not blank, you’re probably dealing with a spammer.

For best results, I combine field scanning with a honeypot. My code toolbox is available here.

A word of caution: Simple security is often good enough for low-value targets. My suggested methods could be evaded by a determined malefactor, so they cannot be relied upon for high-value forms like those used to process financial transactions. That said, I have used my scripts on numerous Website contact forms over the years with virtually no user complaints and no spam.

If enough Websites made basic attempts to protect their email addresses and forms, spammers would lose revenues, or they would start processing JavaScript and CSS. Due to the low response rate on spam, spammers need to process huge amounts of data to make money. Technologies like CSS and JavaScript that add extra computation to each transaction can make spamming significantly more expensive, and thus less profitable.

I doubt the methods outlined here will ever win the battle against spammers, but they could keep your inbox cleaner and save your users from the hassle of obtrusive Captchas.

— Jonathan Hochman, founder, Hochman Consultants

This blog is part of Internet Evolution's IT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register here to join the IT Clan's conversation, and you just might win something unspeakably cool.
Channel: Enterprise IT, Security
Tags:
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Jonathan Hochman
Thinkernetter
Sunday July 26, 2009 11:26:21 PM
no ratings

 

The more spam going into the cloud mailbox, the harder that server has to work to filter.  The harder all the mail relays have to work along the path to deliver that spam to the filter. I think it make sense to stop spam at the source by not putting your name on their list in the first place.

I do a fair amount of work with small businesses that don't always have the best filtering.  For them, cutting the flow of spam can have a positive impact on their marketing campaigns because their real customer inquiries don't get burried in a pile of garbage.

 

DavidSilversmith
Thinkernetter
Sunday July 26, 2009 11:17:24 PM
no ratings

"Also, by securing your forms, you help avoid spam from being sent from your server to other victims."  That's a great point and fortunately all the organizations I have worked at have focused on that.

"By reducing the flow of spam at the source, you can help your filters work more effectively" I really wonder about this - the filters are working quite effectively today and since we're using these resources in the cloud it's not impacting our mail servers.  Is there a real advantage?

Jonathan Hochman
Thinkernetter
Sunday July 26, 2009 11:16:54 PM
no ratings

Yes.  Even though there are other sources of spam besides your website, it makes sense to employ layered security.  By reducing the flow of spam at the source, you can help your filters work more effectively.  Some amount of spam leaks through any filter.  Also, by securing your forms, you help avoid spam from being sent from your server to other victims.

DavidSilversmith
Thinkernetter
Sunday July 26, 2009 10:59:01 PM
no ratings

For the last several years I operated following most if not all of the suggestions in your post.  My company still got spam - tons of spam - but we stopped it with a cloud based anti-spam program.  Few users actually got more than the occasional spam message.

The organization I am now with has ignored almost every suggestion in your article.  We too use a cloud based anti-spam program.  Few users actually get more than the occasional spam message.

So I am wondering - is all the effort on the front end worth it, or is the real killer application the anti-spam filters on your server - or in the case of SpamSoap, Postini etc. the filters that are in the cloud and not even on your mail server.

smkinoshita
IQ Crew
Friday July 24, 2009 9:32:12 AM
no ratings

Unfortuneately, some people must or they'd stop doing it.  There's a newbie born every minute, so to speak.  What upsets me is that it's these new, vulnerable users who are the ones who get nailed by sleazy practices.

Mashka
Researcher
Friday July 24, 2009 3:53:25 AM
no ratings

 

Smkinoshita, does somebody still respond to spam letters? I can't believe it!

smkinoshita
IQ Crew
Thursday July 23, 2009 10:15:55 AM
no ratings

The more informed people are, the more spam-stomping tactics that get used, and the less people respond to the stuff, the better!

I've passed this along to some of our staff.  They might already know about these techniques, but you never know -- and the less spam out there the better.

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Jonathan Hochman
Jonathan Hochman
Unless you live under a rock, you've no doubt seen those "Google Cash business opportunity” ads from entities like Google Money Tree and Google Treasure Chest. They seem to be everywhere. UPDATED 8/24 6:05 PM
Jonathan Hochman
There's a nasty bug going around the Web that targets developers.
Jonathan Hochman
Web marketers must constantly manage a long list of domain names, Web servers, ad campaigns, social media profiles, and assorted Web 2.0 services. Facilitating access to these digital assets enables frequent monitoring, better optimization, and improved security.
5
of
IETV: the thinkerNet on film
5
of
2pm EDT
Thu
Sep 2nd
2pm EDT
Thu
Sep 30th
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   7/29/2010   Post a comment
IBM announced today it has entered into a definitive agreement to acquire Storwize, a privately held company based in Marlborough, Mass.
white papers & case studies
an IBM information resource
sponsored content
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things'
Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Router Hacking, Warkitting Take Stage at Black Hat
Jart Armin
Router hacking and modem security is in the news again, thanks to a presentation at Black Hat in Las Vegas this week and to the associated sensational press response.
CLICK FOR MORE
Router Hacking, Warkitting Take Stage at Black Hat
Jart Armin
Router hacking and modem security is in the news again, thanks to a presentation at Black Hat in Las Vegas this week and to the associated sensational press response.
CLICK FOR MORE
Cloud Copes With 'Special Order' Supply Chain
Scott Koegler
Say you're a retail auto supply store. You carry the standard batteries, brake parts, and seat covers along with an assortment of products that meet 99 percent of the requests you get from your daily customers. But then there's that occasional customer, that 1 percent who needs a carburetor rebuild kit for a '54 Buick Super straight 8. It's a $50 part that you don't stock and might bring you $5 in margin. Do you send the customer away, or spend the next hour on the phone placing a special order?
CLICK FOR MORE
ComScore Screwup Calls Analytics Into Question
Dee-Ann LeBlanc
The beauty of the digital world is that it offers logs and metrics. This can also be a huge problem. Many organizations base everything, from investment value to performance bonuses to what an author is paid per piece, solely on these metrics.
CLICK FOR MORE
John Soat
E-Discovery Limits Are Set. Maybe
11|30|09   |   3:04   |   4 comments

E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era
11|13|09   |   2:17   |   3 comments

The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Jart Armin
Methods From the Dark Side: RFI Attacks
11|6|09   |   2:22   |   No comments

Exploring methods from the 'Dark Side' of the Internet – in this case 'Remote File Inclusion.'
Jart Armin
Technology From the Dark Side: Scareware
10|23|09   |   2:22   |   4 comments

Jart highlights some of the techniques coming out of the 'Dark Side' of the Internet – in this case, 'Scareware.'
The Incredible Hultquist
Pass on Password Changes
10|12|09   |   1.54   |   24 comments

Password change policies are obsolete and ultimately counter-productive, increasing security risks and eroding the bottom line at large enterprises.
Singer at C-Level
I Predict You Will Watch This Video
7|27|10   |   1:59   |   No comments

Wouldn’t it be great to be able to predict what your customers want before they know they want it? Check our our latest tutorial about Predictive Analytics to find out how: www.internetevolution.com/tutorial-predictive-analytics.asp
Second Shooter
What's in a Name? Not Enough!
7|20|10   |   2:07   |   6 comments

'What's in a name?' is more than rhetoric. It's a fundamental question about the real meaning of 'Identity' in a global, online world.
Cirque Du Solez
Want Net Happiness? Take Control!
7|19|10   |   2:00   |   6 comments

An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
Wisdom of the Big Chair
Cius vs. iPad: Choosing a Business Tablet
7|15|10   |   2:12   |   No comments

Apple’s iPad is all the rage with consumers, but enterprise users should wait for Cisco’s Cius.
Wisdom of the Big Chair
Internet Explorer Rebounds
7|9|10   |   2:31   |   9 comments

After years (no, centuries!) of complacency, competition has forced Microsoft to focus on beefing up its browser.
Sweeney Blog
Tweets Show West Is Best
7|30|10   |   2:47   |   No comments

Hey, Eastern Timezoners: Lighten up! Or at least Tweet happier thoughts.
Reiter's Block
Inside RIM’s Tablet Survey
7|29|10   |   2:50   |   2 comments

Research in Motion recently emailed a survey about smartphone use and tablet computer preferences. Could it be a prelude to a RIM tablet? Of course!
Second Shooter
Let’s Make Up Our Minds on Copyright
7|29|10   |   2:07   |   2 comments

There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
The Sole Man
Cloud-Based Video Sharing: Not Promising
7|28|10   |   2:49   |   1 comment

Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
Wisdom of the Big Chair
Using the Web to Clean the Gulf
7|28|10   |   2:12   |   3 comments

The Internet played a key role in disseminating information and helping with the Gulf cleanup. Bravo, Internet!
Second Shooter
The Third Way or the Highway
7|27|10   |   2:09   |   4 comments

The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Singer at C-Level
I Predict You Will Watch This Video
7|27|10   |   1:59   |   No comments

Wouldn’t it be great to be able to predict what your customers want before they know they want it? Check our our latest tutorial about Predictive Analytics to find out how: www.internetevolution.com/tutorial-predictive-analytics.asp
The Sole Man
Shiver Me Timbers
7|26|10   |   2:21   |   No comments

Digital pirates find easy pickings in the open waters of the Internet. Aaarrrrrr!
Cirque Du Solez
Spontaneity Gives New Meaning to 'On the Road'
7|26|10   |   1:46   |   6 comments

Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
what.the.ferraro
Facebook the Movie... Awful
7|23|10   |   2:39   |   6 comments

Nothing quite says jumping the gun like making a movie about a six-year-old company.

Enabling People and Organizations to Harness the Transformative Power of Technology