Frontpage Forms & Spam

[Jason Dunn, Windows Mobile MVP]

I created a new Web site the other week, something very simple for my
father. I used FrontPage 2003 and the Form tools to create a contact form.
When I tested the contact form last week, I used a unique alias -
(e-mail address removed) - one that has *never* been used before (it has since
been blocked on my server, which is why I'm listing it). Today I received a
piece of spam to (e-mail address removed). Because this addresses has never been
used before, this leads me to believe one of three things:

1) A spam bot found some record of this email address on the server where
this form was submitted
2) My father, who received the email, has spyware on his PC that is scanning
incoming email
3) It was random, brute-force name-guessing spam and this is a coincidence

#3 is highly improbable (I would have received a flood of email if that was
the case), and I'm going to investigate #2, but I wanted to ask about #1
here. I've confirmed that the form is NOT saving to an HTML file and is only
emailing the results. I've poked through every file and folder via FTP that
I could see, trying to find a place where FrontPage might have stored that
form and could not find anything. Google searches on this topic didn't turn
up much either.

So the question for the FrontPage gurus of this group is this: if a form is
not set to store as HTML, and only to email, does FrontPage 2003 somehow
keep form data in a file someplace that is accessible to external search
engines that might know where to look?

Thanks for any insight!

- Jason Dunn

 

[MD Websunlimited]

Hi Jason,

Spammers use robots to walk web sites looking for email addresses then send a message to each that they find.

We have an add in that will obfuscate the email address in the page.

 

[Steve Easton]

If (e-mail address removed) is the email address that you designated in form properties for the
email to be sent to,
and if you published the page to a public server, the emails address has been harvested from
the web bot code
in the page.


--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed..................
...............................with a computer

 

[Murray]

This really has nothing to do with FP, and everything to do with putting
bare email addresses on the web.

To be completely safe, only use server-side email, i.e., NOT mailto: as a
form action, and use some variant of CAPTCHA (use Google to read about it).

 

[p c]

spammers harvest email addresses from web pages (the HTML) whether you
put it there or FP put it there. If you are not sure if an email address
is there, view the page in HTML/code view and search for "@".

Anything like "someone@somedomain" will be collected by spammers.

As Steve and others said, you need work arounds to prevent spammers from
capturing:
1. restrict access to the site to authorized users.
2. use server side scripting
3. obfuscate the email address.
4. Use form submissions (w/o email addres shown in HTML)
5. etc.

By the way, I have one account for which I given the email address to
anyone, and I still get spam. In that case,spammner use dictionary
attacks verify valid email addresses.

...P

 

[Cheryl Wise]

Captchas are bad for accessibility, if you use one there should be an
alternative method to verify or contact. Or you can use a very simple one
like: What is the color of a black dog?

If they type in black then they get the email or form.

--
Cheryl D. Wise
MS FrontPage MVP
Certified Professional Web Developer
Start to Web - next class session begins March 5
Intro to FrontPage, FrontPage Level 2, Intro CSS
See http://starttoweb.com

 

[Cheryl Wise]

I should have added a link on captchas
http://www.d.umn.edu/itss/support/Training/Online/webdesign/accessibility.html#captcha

--
Cheryl D. Wise
MS FrontPage MVP
Certified Professional Web Developer
Start to Web - next class session begins March 5
Intro to FrontPage, FrontPage Level 2, Intro CSS
See http://starttoweb.com

 

[Murray]

I agree with you, Cheryl - just didn't want to get too detailed at this
point.

I usually have something like -

What is the name of the day after Thursday (hint - Friday): ________

 

[Jason Dunn, Windows Mobile MVP]

If (e-mail address removed) is the email address that you designated in form

properties for the
email to be sent to and if you published the page to a public server, the
emails address has
been harvested from the web bot code in the page.

Aha, yes, that now makes sense. Although that isn't the current email
address in the form properties, it was at one point during testing, so that
would explain why it got spidered and why I got spammed. Thanks for solving
the mystery, that's exactly what I was searching for! It's a pity FrontPage
2003 doesn't protect the email address somehow. :-(

 

[Jason Dunn, Windows Mobile MVP]

This really has nothing to do with FP, and everything to do with putting

bare email addresses on the web.

All due respect, I disagree - I was using Frontpage's form building tool,
and since it doesn't protect the email address in any way, this is very much
a flaw in Frontpage that should be addressed.

 

[Steve Easton]

It's not a "FrontPage" flaw.
It's an indication of the current state of the internet.


--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
........................with a computer

 

[Joe Rohn]

All due respect, I disagree - I was using Frontpage's form building tool,
and since it doesn't protect the email address in any way, this is very
much a flaw in Frontpage that should be addressed.

Hi Jason,

Whether you use a FrontPage produced form...or even just a mailto:
link..it's open season for Spammers as those are easily harvested. At the
very least it is best to obfuscate mail links..but really doing server side
processing is the best solution. So it's really more of a flaw of the way
email is generated..rather than a FrontPage specific flaw.

--
Joe

Microsoft MVP FrontPage

FrontPage Users Forums:
http://www.timeforweb.com/frontpage

 

[Cheryl Wise]

It is a flaw that is found in many email processing scripts, formmail has
the same issue.

--
Cheryl D. Wise
MS FrontPage MVP
Certified Professional Web Developer
Start to Web - next class session begins March 5
Intro to FrontPage, FrontPage Level 2, Intro CSS
See http://starttoweb.com

 

[Jason Dunn, Windows Mobile MVP]

very least it is best to obfuscate mail links..but really doing server

side processing is the best solution. So it's really more of a flaw of the
way email is generated..rather than a FrontPage specific flaw.

Right, so wouldn't it be useful for FrontPage 2007 (or whatever it's called)
to have a feature whereby a bot would do the email form processing, and be
completely hidden from spambots? That's certainly not beyond the realm of
what's possible, and for everyone using contact forms with Frontpage, it
would save them a lot of hassle.

Hey, I like the product, I'm just trying to suggest ways that it could be
better. Surely as MVPs for the product you can be critical of it? I know
there are a LOT of things I'd want to see improved with Windows Mobile.