News: The worst contact form practice
There is a practice with website contact forms which is not at all uncommon, and should be considered one of the worst mistakes that you can make with your website. If you are making this mistake, you should correct it immediately. Below I will describe this practice.
Let's say you have a contact form on your website which has 3 fields for user input:
- Name
- Message
Now let's let these variables be $1, $2, and $3. When a user fills out this form, you send them an email generated from their input which looks like this:
Hi, $1. We received your message and will reply soon. For reference, here is your message: $3.
This is very common. Do you see the mistake? Here, let me help you by filling in the variables maliciously. Here is how I am filling out your contact form:
Name: Cheap Viagra
Email: SomeoneThatIsntMe@gmail.com
Message: You can buy cheap viagra at my website, cheapvigra.notareal.tld
And now, SomeoneThatIsntMe@gmail.com (who is in fact not me) will receive this email from you:
Hi, Cheap Viagra. We received your message and will reply soon. For reference, here is your message: You can buy cheap viagra at my website, cheapvigra.notareal.tld
Do you now see the problem? This is as bad as being an open SMTP relay. You are in fact an open relay for anyone to use for the purpose of sending spam to anyone, at any time, from you. If your website functions like this, you need to resolve it immediately. There are clear trends that we use to identify this behavior. When we think we see it, we will visit your website and see if we can confirm that your website functions like this. If it does, we will block it from sending email until you fix it.