Spamming Contact Forms No More

At Tinfoil Security, we work hard to ensure that your security scans thoroughly examine every piece of functionality of your website while minimizing unexpected side-effects on your servers. One common side-effect of scanning contact forms can be a mass spamming of whatever email or support service receives requests sent through that form. Our scanner examines anywhere it can, so we’ve seen the reality of this firsthand. With help of many of our customers, we’ve built a fix and are happy to announce that we’ve implemented a new module to help prevent this!

With our new technology, when we find a contact form that we believe is spammable, we will avoid it and mark it as a vulnerability - the thing to remember is that if we can spam it, so can a much more malicious attacker, and they won’t stop. The new module is turned on for all of the introductory scans that are run from our homepage, but is turned off for full scans that are run from your Dashboard once you’ve logged in. In a new design coming out soon, you will be able to control this for all scans. Unfortunately contact forms are still one of the most common places we find vulnerabilities in our customers’ websites, so we think it’s important to scan it during our “full” scans.

This is an issue you could face with any automated attack (regulated or not). Our Getting Started tips prior to running a full scan, as well as our FAQ, suggest ways for you to to combat this kind of bot spam by providing suggestions on how to setup CAPTCHAs - both the typical kind you see (those terribly annoying characters that show up on forms sometimes), as well as negative CAPTCHAs. Negative CAPTCHAs turn the concept of CAPTCHAs on its head, adding a task that only bots can do, but humans cannot (or normally wouldn’t) do. We really like negative CAPTCHAs as they provide similar spam protection to word CAPTCHAs, aren’t significantly harder to implement, and provide a far better user experience. Providing instruction on how to properly protect our customers’ websites from spam helped quite a bit, but we felt there was more that we could do.

As always, we’re open to feedback, so please keep it coming. This module is new, and we won’t pretend it’s entirely perfect, so please let us know if you run into any issues with it. Remember you can always cancel a scan at any time. We are more than happy to chat via email or in our support chat, and all customer feedback is taken into account with a great bit of weight. After all, our goal is to keep you secure and happy, and that’s what we strive to do. :) If you need any help implementing a CAPTCHA or want suggestions on what types may work best for your use case, we are more than happy to provide thoughts. Just get in touch


Michael "Borski" Borohovski

Michael Borohovski is cofounder and CTO at Tinfoil Security. He got his start in security when he was just 13 years old, and has been programming for longer than he can remember. When he's not busy breaking software or building it, he also loves singing, juggling, and magic tricks. Yes, magic tricks.

Tags: contact forms spam website scanning

Tinfoil Security Blog

Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.