MailFormProtector – Protect form to email in Umbraco
, 11 years ago 
As a company that builds web portals and corporate sites we noticed a spam problem with web forms. Our clients complained about spam coming through their contact forms (or they receive blank forms) and requested that we solves it.
Why CAPTCHA is not the solution?
Captcha is not always a good option. Visitors hate to fill it in and if those visitors are your potential customers you do not want them to feel frustrated as it is going to kill your conversion. Here is just one of many articles on this (https://www.seomoz.org/blog/captchas-affect-on-conversion-rates)
Akismet (www.akismet.com) is better choice but it is commercial product which starts from 50$ per month (unless for personal use). Even then, or you have only personal site, note that Akismet is designed mostly for blog *comments*. Connecting it to contact forms or similar web forms is not so efficient as those forms usually consist of quite a few inputs and not just long comments.
Solution
That’s why we decided to go the other way, to implement antispam technique that does not affect conversion as it is completely invisible to visitors. Those techniques are not invented by us, they are known and used over the net (like visual hiding a field on a form; spambots still see it in the source code and fill it in which triggers spam flag). We took several of those techniques (read more about them below) and implemented as modules we use on day to day bases on sites we develop. We are using ASP classic version, .NET version, DotNetNuke module and Umbraco package.
Small bonus for Umbraco users
Since Mailform Protector sends out email it is basically also classic form2mail component! Design any form in HTML, with no limitations of “form builders” used out there, just connect it to Mailform Protector and your form is going to be mailed to you when somebody fills it in. This way, when building a form, your only limitation is in HTML/CSS. Build whatever you want, use JQuery or not, group items with DIVs or SPANs, use images, put two or even more different forms on the same page – it doesn’t matter. What form builder can offer that flexibility?
This is also result of us being in business of building websites for over 10 years. We believe that for any webmaster, there is no better tool to design a web form than using HTML itself and tools like Dreamweaver or notepad or whatever HTML editor you prefer. Form generators are for your non-technical clients, but if your job is to create a form then form generator is just not flexible enough. Just do whatever you do every day in your favourite HTML editor, copy/paste in Umbraco content or template, link it to Mailform protector and you’re done!
Architecture
Mailform protector package contains two ASP.NET user controls:
- AntispamControlFields
- AntispamValidator
AntispamControlFields is a very simple web control that should be placed inside <form> tags. It inserts three hidden input fields in the html form. AntispamValidator web control performs all antispam checks and therefore should be located on the destination page (page that receives the form post). When the form containing AntispamControlFields is posted, on target page Antispam control awaits for posted data, checks those 3 fields and uses other antispam techniques described above to build up a total spam-score. Based on result, configured action is taken (email form data, redirect to another page).
Sometimes form is pasted to the same page (itself). That is why we decided to include AntispamControlFields control inside AntispamValidator control. So, for implementations like this there is no need to use AntispamControlFields control – AntispamValidator control will do that job by itself. This control doesn’t use PostBack so there is no need to place it on the form with attribute runat=“server“. Any form will do. In fact, multiple forms on the same page will work!
Antispam techniques used
- Check 1: IP check
IP of the computer used to fill in form is compared to IP of computer which posted the form. It should be the same. Some spam bots separate process of downloading the form with process of mass-filling those forms. Normal users should never change IP address during this process. - Check 2: Empty field check
Special, visually hidden field, is used in the form. Normal visitors will not see it and will not fill it. Spam bots use source code of the page and cannot see a difference between hidden field and the real field so they fill in hidden field too. - Check 3: Completion time check
Time of landing on form page is compared to time filled form is received by server. Spam is suspected if this time is too short (automated scripts do this and normal visitors cannot fill in form that fast) or it is too long (spambots sometimes download forms hours or days before mass-filling them in). - Check 4: URL check
Fields are checked for URL strings in them. It can be fine-tuned in which fields and how many URLs are allowed and if system detects URL above that threshold spam is suspected. Most of contact forms on company sites are not expected to receive many (if any) URLs. On the other side, most spambots send many URLs through those forms. Setting up a good threshold can separate those two cases. - Check 5: blacklisted words
Fields are checked for words contained in black list. It can be fine-tuned with custom words list, lists of fields to be checked, spam-score amount for every word matched, etc. It is not likely that your client is going to spell “Viagra” on your contact form so you can separate those from spambots using this check. - Check 6: Mandatory fields check
Form is checked for mandatory field content. It can be fine-tuned with list of mandatory fields to be checked. If any of mandatory fields is left blank then spam is suspected. This check is used together with Javascript validation on the form that you should design yourself. Spambots usually bypass this validation by disabling Javascript. If there is no server-side checking you receive incomplete forms.
So, this check can be used for more than only antispam check. It can also behave as server-side check of mandatory fields-is. - Check 7: Empty form check
Similar as above check for mandatory fields but simpler. Even if there are no mandatory fields in a form, it is expected that at least one form field is filled in. Blank forms are never something you want to receive so that is what is checked here.
Similarly as above, this check can be used for more than antispam. In example, search bots also can sometimes land on form-submitting page, and since they also disable Javascript you can end up with empty form in your mailbox. This check ensures you don’t.
Installation
Mailform Protector is installed just like any other standard Umbraco module, as a package through Umbraco back office.
Requirements
Mailform Protector is tested on Umbraco 4.x but we don’t see any reason for it not to work on earlier versions of Umbraco as it is stand-alone .NET control that does not use any of Umbraco APIs.
So far this was commercial Umbraco component that we implement in Umbraco projects.
Now we decided to give it free for any use and on AS-IS basis. Component comes with documentation and without source code included.
If you need assistance in implementation, implementation or any other modification let us know.
Also published on Medium.