This How-To guide describes how to use FormMail to send an automatic email to users submitting your forms.

You can use the Auto Responder feature to send a receipt or other confirmation to your customers.

Think about your forms for a moment. Anyone can visit a form on your website and enter someone else's email address and press submit.

Let's call this person Sam (Sam is a spammer).

This doesn't usually happen because there's no benefit to Sam in doing this.

Now imagine that when a form is submitted on your website you automatically send an email to the email address that was entered. If the email just has some fixed text on it (such as "Thanks for your form submission"), then there's no (or not much) harm done. Sam still cannot benefit from this.

But now let's suppose the email you send has some information that Sam has entered on your form. Here's what happens:

1. Sam enters Mary's email address on your form.
2. Your form also asks for some other details, but instead of providing those, Sam types these things into your form:
   • "Buy my product now, it's really good!"
   • "Visit http://www.samsgoodproducts.biz/"
3. Sam clicks submit and your website sends Sam's spam to Mary!

Your website has become a spam gateway and you're going to get blamed for it!

Spammers like Sam don't sit at a browser and type information into your form and click submit.

No, instead they write a program that uses your spam gateway to send thousands of spam emails around the world. The spamming is automated.

First, let's be absolutely clear.... If you use any Form submission program to Auto Respond, it's impossible to be 100% spammer proof.

However, using a CAPTCHA technique you can reduce the likelihood of your forms becoming spam gateways.

Furthermore, by using the logging features within FormMail, you can monitor and detect spammer activity.

Our FormMail can be used to Auto Respond, but it will only do so when the user has proven that they are human and not an automated computer program.

You must use our verifyimg.php script in conjunction with FormMail to get FormMail to Auto Respond for you.

verifyimg.php shows the user an image with some random letters and digits. The user must type the letters and digits correctly into your form before submitting it.

The simplest way for a spammer to overcome a CAPTCHA scheme is to encourage (or pay) people to view the images and type the correct values.

With sufficient people doing this, a spammer can automate the process and use your forms as a spam gateway.

This has actually been done to some famous websites.

Computer programs are also getting smarter. It may be possible, soon, for a program to defeat the image scheme we've implemented. The worrying part is that you won't know until you detect it in your log files (or some unhappy person tells you you're a spam gateway)!

Finally, the other thing wrong with CAPTCHA techniques is that it can be difficult or impossible for disabled or blind people to use them and therefore use your forms.

If you simply want to provide a receipt or confirmation to the user, FormMail also supports the good_template feature. This lets you display a page in the user's browser containing some or all of the information they submitted. The user can simply print the page (and the page can even contain a print button).

However, if you're still keen to process with Auto Responding, the rest of this page tells you how to do it!

The following lists the steps required to get FormMail to Auto Respond for you:

1. Create a template for a plain text email, a template for an HTML email, or both.
2. Configure FormMail to access the templates you created.
3. Install verifyimg.php on your server.
4. Configure your form to show the image and allow the user to enter the text from the image.
5. Configure your form to tell FormMail to send an Auto Response.

We've provided a sample form that you can use to develop your own Auto Responding forms and templates.

The steps for creating plain text and HTML templates for emails is described in other How-To guides. The steps are the same for Auto Responding; just remember that the templates you're creating will contain information to be sent to the user.

For creating a plain text template, read this How-To guide.

For creating an HTML template, read this How-To guide.

Some other tips for your templates....

• Don't send the user's credit card details back to them - it's a security risk!
• To discourage spammers, don't send large amounts of information back to the user. A few confirmation fields are generally all that's required.
• In your forms, limit the size of the text that can be entered in the fields you're going to send back to the user. For many field types, you can use the maxlength attribute, for example:

  <input type="text" name="realname" maxlength="30" />

You can download verifyimg.php from our forums here.

Simply upload it to your server. Read the instructions at the top of verifyimg.php for full details. Use the verifytest.php script to confirm correct operation.

You need to insert two items into your form: an image URL and a text field.

Here's how to insert the image:

<img src="http://www.yoursite.com/verifyimg.php" alt="Image verification" name="vimg" />

Here's how to get the user's input:

<p>If you would like a confirmation email, please enter the characters you see in the image:</p>
<input type="text" size="12" name="arverify" />

The text field must be named arverify. That's the special field name that FormMail will look for.

Also, read the section below about Cookies and Sessions.

The final step is to simply add a hidden field called autorespond to your form:

<input type="hidden" name="autorespond"
value="PlainTemplate=arplain.txt,HTMLTemplate=arhtml.html,
Subject=Your confirmation,TemplateMissing=" />

This tells FormMail to send a single email to the user with both Plain Text and HTML formats.

The subject line for the email will be "Your confirmation" and missing fields will be left blank. The Subject and TemplateMissing specifications are optional.

If you only want to send plain text in the email, leave out the HTMLTemplate option. Conversely, if you only want to send an HTML email, leave out the PlainTemplate.

Of course, the names of the template files should be the ones you created in Step 1.

Also, read the section below about Cookies and Sessions.

verifyimg.php is a good way to start, because it's free!

For really professional CAPTCHA that's easy to ready and hard for spambots to break, we recommend Captcha Creator from www.captchacreator.com. You can purchase Captcha Creator directly from us at a discount!

When you install Captcha Creator on your form, instead of calling the input field "Turing", call it "imgverify". FormMail version 8.02 supports Captcha Creator automatically.

verifyimg.php communicates the string it shows in the image to formmail.php using a PHP session. formmail.php compares this secretly passed string to the value the user types into your form.

A user without login access to your server cannot directly modify information in a PHP session (and even with login access to a properly configured server they cannot modify session information). Sessions, therefore, are the only safe way to communicate secret information around your website.

When a user's browser supports cookies, the PHP session mechanism works reliably and silently. There are several types of cookies, and the type of cookie that PHP uses has no privacy or security implications for the user.

There's no good reason for a browser not to accept the type of cookie that PHP uses for its sessions.

However, as a website developer, you cannot rely on people's browsers being correctly or sensibly configured. Some of your visitors' browsers may not accept any cookies.

If they don't accept any cookies, then the default setup we've provided in sampleautorespform.htm will not work because the PHP session will not be passed between verifyimg.php and formmail.php.

You can test this yourself by configuring your browser to block all cookies (you may need to close all copies of your browser and restart it - that's what we found with Internet Explorer) and trying the sample Auto Responding form (sampleautorespform.htm). You'll get an alert from FormMail like this:

Error=Failed to obtain authorization to send you email

For these types of visitors, you have three choices:

1. Forget about them and they just won't be able to get an auto-response from your forms.
2. Use some detection mechanism (there are several JavaScripts around that do this) to verify that cookies are enabled. If they aren't, you can warn the user and/or disable the Auto Responding feature in your form.
3. Use the workaround we provide below and in the sample form called sampleautorespform.php.

To workaround the problem with browsers that block cookies, you can use the other mechanism that PHP provides to transmit session information.

This does not involve any changes to verifyimg.php or to formmail.php, but you do have to convert your HTML form file to a PHP script, and make some easy changes.

It's quite easy to do this: simply rename your HTML file from ".htm" (or ".html") to ".php". That's the first step. Do that and upload it to your server. Open it with a browser (remember it will now be http://www.yoursite.com/yourform.php). You'll see that it works identically.

Next, you need to start the PHP session at the top of your form. To do this, you simply add these 3 lines at the top of the file:

<?php
session_start();
?>

You can put this just above the <html> tag.

Finally, you need to add a simple string to all the URLs involved in the Auto Responding feature. In general, there will be 2 or 3 of these:

1. the URL to call formmail.php
2. the URL to call verifyimg.php
3. and, maybe, the JavaScript to provide a reload of the image (this is a feature described below and provided in the sample form)

The string you need to append to the URLs is:

?<?php echo SID; ?>

So, here are the 3 replacements you need to make:

1. Instead of:

   <form method="post" action="http://www.yoursite.com/formmail.php" ...

   you need:

   <form method="post"
   action="http://www.yoursite.com/formmail.php?<?php echo SID; ?>" ...

2. Instead of:

   <img src="verifyimg.php" ...

   you need:

   <img src="verifyimg.php?<?php echo SID; ?>" ...

3. In the NewVerifyImage JavaScript function, instead of:

   document.vimg.src = "verifyimg.php";

   you need:

   document.vimg.src = "verifyimg.php?<?php echo SID; ?>";

With the above changes, the VerifyImg feature and your Auto Responding form should work with any browser setting.

If you're serious about protecting your server from becoming a spam gateway, then you'll want to log all Auto Responding activities that FormMail does for you.

Logging allows you to easily monitor activity and quickly determine if something is awry.

If you're ever accused of being a spam gateway, you'll have the ability to determine if it's from the Auto Responder.

Setting up Auto Responder logging is easy:

1. Create a directory on your server to hold log files. This should be outside (e.g. above) your web server document root. The Auto Responder log file contains email addresses, so you don't want a spammer to steal the log file and have a list of people's email addresses!
2. Create a file in that directory for your Auto Responder log.
3. Configure FormMail to perform the logging.

In version 3.00, near line 1243, you configure FormMail for the log directory. You can review the documentation above this line for more information.

$LOGDIR = "/path/to/logfiles"; // directory for log files;...

Near line 1285, you configure FormMail for the Auto Responder log file. Review the documentation above this line for more information.

$AUTORESPONDLOG = "arlog.txt"; // file name in $LOGDIR ...

Sometimes the image shown is difficult for anyone to read. You can provide a button to replace the image with a new one (if the user's browser has JavaScript enabled).

Also, for protection against spammers, you may wish to limit the number of times the button can be pressed.

We've provided a sample HTML form that will perform Auto Responding with the features we've mentioned above. You can download it from our forums here.

You can use image verification to stop bots from submitting your forms. There's a HOW TO guide about this.

If you want to do both, the one image field for autoresponding can also control bots.

To do this, you simply derive an "imgverify" field from "arverify":

<input type="text" name="derive_fields" value="imgverify=arverify" />

Read the HOW TO guide on deriving fields for more details about this technique.