This page documents the ATTACK_DETECTION_JUNK configuration setting in FormMail.
Type Of Setting
ATTACK_DETECTION_JUNK is an OPTIONAL setting, which means...
 |
OPTIONAL |
you can change this setting if you need to, but the default
value is fine for most
circumstances.
|
Précis
Controls junk attack detection.
Description
Set ATTACK_DETECTION_JUNK to true if you want to enable FormMail's
attack detection to check for the "junk attack".
This feature has been available since version 8.14 of FormMail.
Starting in 2008, spammers appear to have started sending spam and
submitting form spam containing only junk.
Here's an example of the type of junk they send:
Name: sjldespkzx
Phone: BxeiikgNmCnMt
Fax: yEFCQJwYfcGIOEaSc
Message: X9Gdzt
Often, this junk includes one or more URLs (even these can be junk URLs), and, therefore, can be
detected using the ATTACK_DETECTION_MANY_URLS
feature.
However, sometimes there is no method of detection other than the
ATTACK_DETECTION_JUNK feature.
Our research indicates that this "junk attack" is designed to poison
spam filters. It seems to have no other useful purpose, as the junk cannot be
understood by a human being (i.e. you, the website owner).
To a website owner receiving this junk, it's annoying but otherwise appears harmless.
How Does Junk Attack Detection Work?
The detection process looks for long sequences of consonants
(e.g. "bhdjcdz") and long sequences of vowels (e.g.
"oaiua"). In general, this works for English because there are very
few words in common use with more than 5 consecutive consonants or 4 consecutive
vowels.
In contrast, the junk being sent by spammers does have long sequences of
these letters.
Because of the way the detection works, it's possible that a perfectly valid
form submission from a real human could be rejected.
For example, if you enabled ATTACK_DETECTION_JUNK in it's default setting, and
someone submitted the message:
Aaaarrrrgh! Your website doesn't tell me what I
need to know.
their submission would be rejected as junk (4 consecutive vowels: Aaaa
and 6 consecutive consonants: rrrrgh)!
This false detection is an unavoidable consequence of the input that some users
will make. For this reason, FormMail's attack detection message page tells them what it
doesn't like in their submission, and they can try again.
To reduce the occurrence of false detections, we've also implemented a
"strip list" that attempts to prevent common but unusual words from
triggering the detection.
For example, the word "queue" has 5 consecutive vowels. It's very
unusual to have this many consecutive vowel, and, yet, it's a very common English word.
How Do I Configure Junk Attack Detection?
By default, the "junk attack" detection is disabled. We chose this
default because it's possible to get false detections, especially if your
website visitors send you technical or scientific terms or if they speak a
language other than English.
For example, if you have a travel website, and someone from the USA wanted to
enquire about the Welsh town "Aberffrwd", the default settings for
ATTACK_DETECTION_JUNK may trigger a false detection (6 consecutive
consonants: rffrwd).
Before enabling junk attack detection, we recommend you use this checklist:
- Do your website visitors primarily use English? If not, consider the
attributes of the language in question. For example, German seems to
have a lot of words with long sequences of consonants. In this case,
you may need to increase the ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS
and/or ATTACK_DETECTION_JUNK_CONSEC_VOWELS setting.
- Is your website about scientific or technical terms? For example,
if someone wanted to send you a message about XDDCMP (that's
the acronym for External Digital Data Communications Message Protocol),
that would detect as junk. In this case,
you might want to add your technical terms to the $ATTACK_DETECTION_JUNK_LANG_STRIP
list.
Note that technical terms include website URLs and email addresses.
So, if you ask for technical terms in fields,
include the field names in the $ATTACK_DETECTION_JUNK_IGNORE_FIELDS
list.
- Do your website visitors like to abbreviate, or, perhaps, they cannot
spell (e.g. a website for people with learning difficulties)? In this case,
you might want to add the common abbreviations to the $ATTACK_DETECTION_JUNK_LANG_STRIP
list or choose not to use the junk attack detection feature.
To enable junk attack detection, simply set ATTACK_DETECTION_JUNK to true:
define("ATTACK_DETECTION_JUNK",true);
Next, test your forms by entering junk to ensure the detection is operating.
By default, there needs to be 2 occurrences of junk to trigger the detection.
Finally, test your forms with typical input to ensure that your website
visitors can actually submit forms successfully.
We also recommend that you
enable ALERT_ON_ATTACK_DETECTION for a
time so that you can monitor the junk attack detection operation (and other
attack detection too).
Controlling Junk Attack Detection
There are several settings you can use to further control the junk attack
detection feature.
ATTACK_DETECTION_JUNK_CONSONANTS |
provides the list of letters that are to be considered as
consonants. You can add to this list to detect
junk being sent in languages other than English.
|
ATTACK_DETECTION_JUNK_VOWELS |
provides the list of letters that are to be considered as
vowels. You can add to this list to detect junk being sent in
languages other than English.
|
ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS |
specifies the number of consecutive consonants that will
count as junk.
|
ATTACK_DETECTION_JUNK_CONSEC_VOWELS |
specifies the number of consecutive vowels that will
count as junk.
|
ATTACK_DETECTION_JUNK_TRIGGER |
specifies the number of instances of junk that need to
be detected in the one form submission before the submission
is rejected as junk. Increasing this value makes the detection
less sensitive (fewer false detections, but might detect less
junk), and decreasing it makes
it more sensitive (more false detections, but might detect
more junk).
|
$ATTACK_DETECTION_JUNK_LANG_STRIP |
this provides a list of letter sequences that should be
stripped from the form submission before running the junk
attack detector. Note that the submission data you'll receive
is unchanged, only the data passed to the junk detector is stripped.
Note: if you add to this list, we recommend you include a comment
to indicate why you've added the sequence - for example, show a
word that you're allowing to pass the detector.
Also, when adding to this list, first search for the words that
will be affected (allowed through) using a web search
tool such as www.onelook.com.
|
$ATTACK_DETECTION_JUNK_IGNORE_FIELDS |
this provides a list of fields that will be ignored during
the attack detection process.
FormMail automatically ignores special fields (except
"realname" and "subject").
If you have fields that request technical terms (scientific, or
web information such as URLs and email addresses), you need
to add those field names into this list to avoid junk
detection triggering on valid values.
This setting is available from version 8.16 of FormMail.
|
Avoiding Problems
FormMail doesn't look for junk in special fields. These are the fields
that allow your HTML form to control how FormMail operates. For example
"recipients",
"good_template",
"subject".
These are generally hidden fields on your form, and often contain technical
information or abbreviations.
From version 8.16, we've added two exceptions: "realname" and
"subject" are FormMail special fields, but are included in the junk
detection process.
However, if you have other hidden fields with special information in them that
FormMail doesn't know about (i.e. they are hidden fields but not FormMail
special fields) this information will be treated as user input and
could trigger a false detection.
To avoid this problem, make sure your hidden fields avoid abbreviations.
Alternatively, add the words you're using to the $ATTACK_DETECTION_JUNK_LANG_STRIP list
or your field names to $ATTACK_DETECTION_JUNK_IGNORE_FIELDS.
Another trap (which even we've fallen into on one occasion!) is to have a special field,
such as "good_template",
with an abbreviation like "mygoodtmplt.htm" in its value, and then
temporarily rename the field to "xgood_template". This stops it
from being a special field, and will contribute to a junk attack detection.
So, the lesson to learn from this is that if you want to disable your special fields, use
HTML comments (<!-- ... -->).
Also, when you enable ATTACK_DETECTION_JUNK, make sure you test your forms by
submitting junk to see what values are triggering the detection and also test
your forms by submitting normal user input.
FormMail can send you an alert about junk detection, if you enable ALERT_ON_ATTACK_DETECTION.
Searching For Valid Words That Trigger Detection
A great resource we've used in developing the junk attack detection is the
word search feature at www.onelook.com.
This site allows you to search for words using wildcard searches. For
example, enter this search term to find all words with 6 consecutive
consonants: *######*
Similarly, to search for words with 5 consecutive vowels: *@@@@@*
define("ATTACK_DETECTION_JUNK",false);
define("ATTACK_DETECTION_JUNK_CONSONANTS","bcdfghjklmnpqrstvwxz");
define("ATTACK_DETECTION_JUNK_VOWELS","aeiouy");
define("ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS",5);
define("ATTACK_DETECTION_JUNK_CONSEC_VOWELS",4);
define("ATTACK_DETECTION_JUNK_TRIGGER",2);
$ATTACK_DETECTION_JUNK_LANG_STRIP = array(
....
);
$ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array();
Examples
define("ATTACK_DETECTION_JUNK",true);
define("ATTACK_DETECTION_JUNK_CONSONANTS","bcdfghjklmnpqrstvwxz");
define("ATTACK_DETECTION_JUNK_VOWELS","aeiouy");
define("ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS",6);
define("ATTACK_DETECTION_JUNK_CONSEC_VOWELS",5);
define("ATTACK_DETECTION_JUNK_TRIGGER",3);
$ATTACK_DETECTION_JUNK_LANG_STRIP = array(
....
);
$ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array(
"other_email_address",
"website_url",
);
See Also
ENABLE_ATTACK_DETECTION
ALERT_ON_ATTACK_DETECTION
|