Spammers are now trying to use forms to send email to individuals at companies, or at mailing lists that may be attached to forms. While it is impossible to stop people from using the forms, there are a few best practices that can be put into place to avoid them from being used by spam agents.
1 - Never have a form submission trigger an email to an address outside your organization. Spammers will then use your server as a spamming tool, which can result in your web server being blacklisted.
2 - Never have a form submission trigger a server process, even with a "hidden" URL. Any server or administrative tools should always be behind a password protected site, with a complex (alpha and numeric, longer than 6 characters) password. Javascript password methods should never be used.
3 - Have form submissions processed to a database for later review and processing. While an email is often the more convenient solution, a database allows for proper logging, review, approval and management of form submissions.
4 - Implement one or more methodologies to test if the form is being submitted by a live person, or an automated spam process. For example: - use an image test. This entails presenting the web visitor with an image (jpg or gif) of a text code within the form. As part of the form validation, the code entered by the user would have to be tested against the know correct value. Any incorrect forms are rejected and the visitor is allowed to correct their error. - use a time test. Because of the speed of an automated spam agent is much faster than a human to enter a form's data, it is often observed that the spam's agent will complete a form within 5 to 10 seconds. You may simply reject any forms that are presented to the visitor and then submitted back in less time than a desired threshold (i.e. 10 to 15 seconds).
