Web form security - Malicious web form content

Handling spam and malicious form content

I may be about to give away a few secrets, here, but for the benefit of Targa clients and the wider public I’d like to share with you some of the ways that Targa handles spam and messages with malicious intent which are submitted through the contact forms on the our websites and those of our clients.

There are many articles on the web about web fraud, suspicious IPs, etc., which is great for those of us who have a technical background, but if you’re a plumber, electrician, dentist, carpet fitter or accountant with a website, you’re probably not too interested in what a suspicious IP is. You’re more likely to want to know what steps your web designer can take to reduce the risk of you being hacked through your website.

Spam, scam and malicious intent

Let’s face facts. There are, unfortunately, some very unscrupulous people out there who will try by all means possible to spam and scam any target they choose. They hit banks, large organisations, social media platforms, clone accounts, or target the phones or laptops of people like you and me.

By email we get bombarded with offers, action to be taken to prevent the imminent closure of accounts that we don’t have, or to get parcels delivered which we didn’t even order, and... literally as I write this... I received an email telling me that my Amazon Prime account has been suspended.

I don’t have an Amazon Prime account, but if I did I might be initially concerned. And I might (if I’m not careful) click the link to the PDF attached to that email which they say contains details about the suspension of my account.

That, of course, is a big fat lie!

People are understandably concerned

I also see, via Google Ads, a large number of searches for terms relating to website safety, security and legitimacy.

So people are understandably concerned, and as a web designer and manager of websites for many clients, I have become increasingly aware of suspicious, malicious and obscene content being submitted through the contact forms on these websites.

What can we do to stop spam and malicious content in web forms?

There are methods which attempt to reduce this kind of content being submitted through web forms, such as those which aim to stop forms being submitted unless you can prove that you’re human. Remember that it's not just people sitting at their computer filling out web forms and making a nuisance of themselves... robots (or bots) are also out there trawling the internet to find web forms and automatically populate them.

Some methods are more effective than others

Some prevention methods are more effective than others, and some can become annoying to users of the website, especially if they’re asked to click on all the squares in a photo which contain busses, traffic lights, fire hydrants, etc., and even after that they’re sometimes still unable to submit the form.

A bespoke approach to tackling malicious and offensive web form submission

I chose to try something which is less intrusive, easy for the user to verify that they’re human, and flexible enough to detect and deal with a number of different types of suspicious activity.

To begin with, each time a page containing a form loads, a random 4 digit numerical code is generated. This code is then displayed on the page as an image, which makes it harder for automated screen readers to identify. The user simply needs to enter that code in a field next to the submit button. Simple... if you’re human!

There are of course validation checks to make sure that data entry such as the email address is correctly formatted, but this article is more concerned with forms being used to send bad stuff.

Forms containing obscene words

For those form submissions which contain obscene words, I didn’t want my clients to be receiving those messages which may cause offence.

It was felt necessary to sanitise those form submission, so a long list of obscene words was compiled. Whenever someone submits a form, the content is checked against that list of obscene words, and any matches are replaced with XXX.

There's nothing magical about that approach, but seeing XXX in emails is likely to be less offencive than the original obscene words that had been sent. Besides that, some email providers may suspend accounts which have been used to send or recieve multiple obscene communications.

Forms containing links to malicious content

Very often those obscene messages contain links. Whatever those links are described as, I would advise against clicking on them. I realise that this advice is often given through various media channels, but it’s so easy for people... especially on phones or tablets... to tap on the screen and accidentally hit the link.

So additional steps were introduced to Targa website forms which recognises links by various means, and stops them from being clickable when they appear in an email.

There are various other things we do on our web forms which reduce messages with malicious or offensive content, but one main thing we do is detect the IP address of the sender.

Cross-Site Scripting - Forms submitted with scripts

You might have heard of terms like JavaScript but even if you haven’t I’ll keep this to a simple explanation...

It is possible for people to add even a short piece of code to a form which, if executed, could do things such as lock, disable or hijack your computer, steal personal information, passwords, etc.

Such practice is often referred to as Cross Site Scripting (also known as XSS or x site scripting)

One of the methods we use to minimise the risk of x site scripting is to detect and convert some of the characters typically used in used in code so that they no longer pose a threat.

IP detection

Broadly speaking, all computers (including phones and tablets connected to the internet) have IP addresses. So if it’s possible to detect the IP address of a computer or device which has been used to send malicious content through a web form, it is also possible to write code to prevent that same IP from being able to make further submissions through web forms.

That is exactly what Targa has done.

Furthermore, all of our forms and those forms on our client’s websites send a notification to a central collection point when a user submits a form containing spam or malicious content. The IP addresses contained in those notifications are added to blacklist of IPs, and all of the forms on all of our websites benefit from being checked against that ever growing master blacklist.

The effectiveness of this blacklist relies heavily on continuous IP detection, but it also contains a long list of IPs which are widely known to have fraud risks.

What effect does the IP blacklist have?

If someone uses a computer which is on the blacklist, when they load any page containing a contact form, the detection of their blacklisted IP will disable the submit button on the form, and the user will be not be able to send anything though.

They could, of course, switch to a different device or computer, and if that isn’t already on our blacklist, we’ll detect it when the form content fails any one of a number of checks we have in place.

Continuous Improvement

Those checks are being added to and improved all the time, the blacklist which already contains several hundred IPs and other check criteria grows daily... literally every day... and each incremental development to our form monitoring process is applied directly to all of our websites that same day.

A point to note about privacy

From the perspective of privacy, I should point out that even though the forms on our clients websites are designed to send notifications of IP addresses whenever a suspicious or malicious form submission has been sent, these notifications contain no personally identifiable information, and all communications from the users of our clients websites remain private and confidential between the sender and our clients.