Panix Web FAQ: 3.4. How Do I Send Form Content Via Email?

Panix, New York's
first
Internet Service Provider

Panix Web FAQ: 3.4. How do I send form content via email?

Any Web script that sends mail will eventually be visited by a spammer who will try to trick your script into becoming a spam relay.

If you've just started to write your own CGI scripts, do NOT try to write a mailing script. Use one from the list at the end of this page.

Idiot Test or CAPTCHA

Because of the prevalence of automated scripts (bots) that try to abuse Web pages that send email or post to blogs, all web forms that send email must have some kind of test to block (or at least slow down) the bots.

One common method of doing so is to provide the client a "puzzle" to solve, such as a "CAPTCHA" image of blurry letters or numbers that require human interpretation of the image. The web page form does not accept any input unless the correct code is typed in by the client.

A much easier method is known as the "idiot test". This asks a very simple question and answer, simple enough that it is not a burden to program it into your form or for the human using your web site to answer. For example:

Joe's favorite food is chicken. To verify that you are not a bot, please answer this question: What is Joe's favorite food?

And in the above case, the form would not proceed unless the answer "chicken" was provided by the user.

Slightly more complex versions of the "idiot test" ask the user to add two numbers together (sometimes using different numbers at each invocation), or to ask a question where the answer is not explicitly specified in the question:

What is the common abbreviation for New York City?

How deep is Mark Twain?

If you are making a new form to collect e-mail addresses, you must use an idiot test or a CAPTCHA. If you are already using such a form on Panix, and it creates backscatter, we will require you to add an idiot test or a CAPTCHA. We would appreciate you doing so on existing scripts, even if they are not yet causing backscatter.

CGI Scripts

The following free CGI mail programs have recent development activity and are more secure against attacks by spammers:

NMS formmail:: http://nms-cgi.sourceforge.net/scripts.shtml; http://www.scriptarchive.com/nms.html
Jack's: http://www.dtheatre.com/scripts/formmail.php
Tectite PHP FormMail:: http://www.tectite.com/formmailpage.php

If you insist on using the Matt's Script Archive Formmail, the latest version is at:

http://scriptarchive.com/formmail.html For scripts you have developed yourself, make sure that: if a script sends mail and you no longer need to use it, please remove it. if a script sends mail and you support the code, please make sure that there is no way for user-submitted data to get into the header fields that are passed to sendmail. The usual spammer trick is to submit form data with "\n" (newline) characters that lets the spammer turn a From or Subject field into multiple fields, including a new To or Bcc field and the spammer's advertisement. if a script sends mail and you obtained that script from a third party, please visit the third party site to see if there are any updates, or ask Panix staff to review the script. Return to Index Last Modified Monday, 20-Dec-2010 11:19:17 EST