Forms on the site - a spammer reluctantly

In profile email marketing communities, in forums dedicated to CMS support, at conferences, the problem of spam attacks is being actively discussed everywhere, the stable vector of which is the injection of text into forms on websites. This method is used to send spam, as well as for conducting targeted attacks that paralyze the work with individual mailboxes.



I will give the most commonplace example of sending spam through a form. There is a site example.com, it has a form of subscription to news. A spammer from its database takes the “victim” box, for example, i.ivanov@mail.example, and inserts it into the “Email Address” field, and the “Name” field fills with the following content: “renting apartments in Moscow is cheap goo.gl / arendakvartirdaom ", and click" Subscribe. " Of course, it’s not the spammer himself who does all this, but his script, which also passes the captcha. After a second, Ivan Ivanov receives a letter with the text: “Hello, renting apartments in Moscow is cheap goo.gl/arendakvartirdarom ! You have subscribed to the news of example.com! ”...



The Antispam Mail.Ru team is confronted with such attacks every day, we have accumulated a wealth of filtering experience, and we want to share recommendations with you, as well as compare the effectiveness of various methods that can be found on the Internet. Below I will give the most common attack vectors, tell you what forms are most sensitive to spam, what risks lie in wait for you if nothing is done. And, of course, what to do with this email — marketers, owners and administrators of sites.

')

Spam through forms is cheap

Spam - as one type of advertising - exists and will exist as long as it is economically feasible. Much less often, spam is used to promote goods and services that have been ordered to enter legal sales channels; almost all such illegitimate traffic has migrated to banner networks. But back to the email channel. There will always be a “business” that is indifferent to reputational harm from spamming, but for which cost is fundamental.



Therefore, spammers also seek to minimize costs. And the forms on existing sites are ideally suited for such a purpose - someone else's domain, someone else's IP, someone else's layout of the letter - everything else's. We need only a script, and not the most difficult to implement. Cheapness is the first of two key reasons for spamming spammers on foreign sites.



The second important reason is deliverability. The trouble is that, using someone else's form, the attacker gets not only free resources, but also the reputation of this site / IP from MBP (Mail Box Provider). Spam comes from your domain, from your IP, with valid SPF, DKIM, and even the strict DMARC policy - which has saved your newsletter from spoofing so many times - does not help in this case.

What is the risk of business?

It is clear that in the event of an attack being implemented through the form of the problem, it will fall on the head of the site administrator and / or email — the service marketer, but the business bears the risks. These risks are measured:

• in man-hours to eliminate the consequences and the problem itself;
• lost profits due to deterioration in reputation and delivery at the MBP;
• the possibility of losing your reputation (your current and potential users may receive spam from you).

And the larger the service, the higher the cost of these risks. In which case you definitely need to read this material to the end:

• Your service conducts email-mailing.
• The site has a form (any) for:
  
  
  • registration;
  • enter data in your account;
  • feedback;
  • request information;
  • sending invitations;
  • and other tasks.
• You send letters to contacts from CRM.

The mechanics of sending spam through the form "on the fingers"

If we discard a lot of secondary factors, spam enters the letter via UGC (User Generated Content), which is used when forming the letter. Such content may fall into:

• title;
• subject of the letter;
• body of the letter.

A more detailed consideration will start with the most common option.

Registration, subscription of a new service user

To:% username% <% useremail%>

Subject:% username%, confirm your email

Hello% username%!

Familiar designs? Spammers and antispam too. A few years ago, the word “personalization” was very firmly included in the dictionary of any self-respecting marketer. It got so strong that, despite the efforts of community professionals, it has acquired many myths and interpretations, many of which are morally obsolete, but continue to be presented as Best Practices. The main myth is that personalization is often understood as referring to the subscriber by name. What it leads to, you can read here , and why it does not work from the point of view of marketing - already described in detail in the article by Dmitry Kudrenko.



Total: we take the email base, the script, the subscription / registration form, enter spam content in the name field - and spam — sending from your site is ready.

Spam through auto replies

A much rarer case (only because auto-responses are less commonly used by services). The mechanics are a bit more complicated, but the spammer has more options. A feedback form, an application to the support service, a request form for a quotation — often for such cases, the service sets up an automatic response to the user. And here again comes the UGC game: "In your message you wrote ...". But if it was not a message, but Viagra advertising, and the box of an unsuspecting person was entered in the email field, then you risk involuntarily sending spam.

Invitations

Fortunately, this functionality is now practically not found on the Internet, but still you can still find the form "recommend our service to a friend" and "enter the text of the invitation." Again, the UGC from your site scatters on unsuspecting users.

Change of personal data

Rather, a degenerate case, but it still occurs, and it is necessary to write about it. The script is as follows:

• the spammer registers with the bot;
• in the profile settings, changes email, and inserts spam — content into personal data;
• the specified email leaves a data change letter, and services often add data to this letter (in this case it will be spam).

Subscription Bomb Atack

This type of spam stands alone. The purpose of the attack is to paralyze the use of a single user box (or a whole company). The attacker registers the target box on thousands of services. Those begin to send letters of confirmation, greeting letters and so on to this box. As a result, the victim's box is filled with thousands of unread letters, new letters come constantly. In this case, strictly speaking, all these letters are not spam. Using the attacked box becomes difficult. This type of attack is typical not only for email, but also for social networks and instant messengers (subscriptions, adding friends, and so on).

What to do?

Perhaps the key chapter of this review. What tips can be found on the Internet and what is their effectiveness in terms of anti-spam?

1. Captcha There are many of them - simple and complex, with pictures, texts, numbers, with and without input. But captcha costs. Easy. Not that you don’t need to install it, it just increases the price slightly (doesn’t complicate it, but rather increases the price) sending spam through your forms. The principle “I don’t need to run faster than a bear, I need to run faster than you” still works, and if a neighbor doesn’t have a captcha, and on your site it will, then the spammer will probably settle down at his neighbor.
2. Validation (for example, regexp for the presence of a URL in the UGC-field). In modern antispam, content-based signature features and blocking methods are not considered reliable, they are too unstable and easily managed by an intruder. In addition, the effectiveness of this method very much depends on the technical implementation.
3. Hidden fields (visible to the script, but not visible to the user). Unfortunately, the effectiveness of the method is close to zero.
4. Moderation Reliable, like a cudgel, a method of struggle, but very laborious - suitable only for very small services.
5. Activity monitoring . This method, rather, complements any other - you can not begin to solve the problem until you know about it. Registration schedule, graphics using other forms - and you get not only a reliable tool for detecting problems, but also, as a nice bonus, you have excellent product metrics. Does not work for slow spam - if suspicious activity is only a small fraction of organic traffic.
6. Monitoring mail traffic from your site (if for some reason this has not yet been done) - set up viewing statistics in the Postmaster, connect receiving FBL-reports (feed back loop) - reactive measures, but they will allow to identify problems. You can read here , and connect - here .
7. The easiest and most effective way. Do not use for unconfirmed mailboxes (not passed Double Opt In procedure) User Generated Content in letters . Neither in greetings, nor in quoting with auto-answer - nowhere. There is no UGC in the letters, a strict DMARC policy, DOI is implemented - and on behalf of your site no one can advertise Viagra. This is the only set of measures that gives 100% efficiency.

And what about the market?

Now I’ll turn, rather, not to the owners and administrators of sites, but to real industry professionals, namely, to the ESP (Email Service Provider) - mailing services and their representatives. Of course, this type of spam attacks causes significant damage and reputation of the industry as a whole. What can be done additionally?

• Enlightenment: tell customers, explain risks.
• Splitting of the flow: allocation of registration letters, separate monitoring, more thorough analysis of FBL — reports on the registration flow.
• Consistent UGC eradication policy in letters for unconfirmed mailboxes.

Afterword

The problem of spam through forms is more relevant than ever before. Already suffered payment systems, banks, telecom operators, major portals, small online stores around the world. The solution to the problem is very simple and effective, and the cost of the risks that have come true is extremely high for any business. Implement simple methods of protection and do not become an unwitting participant in spam mailings.