This page describes how Tectite FormMail detects server abuse, spam attacks, and blocks form spam.

Have you just submitted a form on a website and seen this message, and that's how you got here?

If so, this page will explain, in detail, what happened. Put briefly, the website uses our advanced form processor and it has performed a spam prevention detection. It believes your form submission looks like an attack by a spammer, and has rejected it.

There's a section below that explains what you can do about this.

Over the years spammers have got smarter. However, they are not perfect and they can't do the impossible.

In the years leading up to 2007, spammers started targeting website forms and form processor scripts.

They try to use form processor scripts to send spam in two ways:

1. They try to trick the script to send spam to anyone in the world.
2. They try to use the script, and/or the form that uses it, to send spam to the owner of the website.

Well written form processor scripts are invulnerable to the first type of attack. Unfortunately, the history of form processors has not been a good one. Most of them have had very serious security flaws that, among other things, have allowed spammers to use innocent websites to send spam around the world.

Tectite FormMail has never been vulnerable to this type of attack. Smart website owners who use our FormMail are responsible people and have not allowed their websites to be abused by spammers!

The second type of attack is relatively new. That's because it requires some level of intelligence from the spammers' programs, even when attacking feature-poor form processors.

Tectite FormMail "raised the bar" on anti-spamming and now the spammers have to:

1. Search for HTML forms on websites.
2. Parse (interpret) the HTML in those forms.
3. Figure out what will allow the form to submit data to the owner of the website.
4. Construct a special set of data that will allow a successful form submission and still allow the spammer to send their spam.
5. Automatically submit to the form processor script.

As you can see, this is much harder to do. And, with Tectite FormMail, it's getting harder to do because we're the only form processor script provider that's actively fighting spammers with a growing number of anti-spam features.

Something about your form submission looked like spam, so you need to submit the form again with slightly different information after reading this section.

Tectite FormMail uses a number of heuristics (tests) to determine whether a form submission is spam or not. Each website owner can adjust the tests to their particular requirements.

Go back to the form and read through this checklist to see what you may have entered that could trigger the attack detection:

1. Duplicated data. Did you enter the same information in a lot of fields, or fields that shouldn't have the same information?
2. Entering URLs. Did you enter a number of URLs into the form? If so, perhaps the form isn't asking you to enter URLs, and so the website owner has blocked this type of submission.
   
   If you really need to send a URL, only send one. The website owner can always contact you if they need more information from you.
   
   If the form is asking for one or more URLs, then follow its instructions clearly.
3. Entering junk. Well, that would look like spam, wouldn't it? Don't enter junk data into forms.

Perhaps the website has a problem.

In this case, you need to contact the website owner via another means. Look for a phone number or email address or physical address.

We cannot help you contact the website owner. Our FormMail is used by hundreds of thousands of websites around the world, and we don't know all the websites who use it. So, we can't contact them for you.

Perhaps you're testing your own forms. Great! But test with real data instead of junk. We know it's easy to just enter "abc" into every field when you're testing.

But, if you do that, FormMail will think it's spam!

If you really want to, you can set ENABLE_ATTACK_DETECTION to false in FormMail's configuration while you're testing your forms. Don't forget to set it back to true for your production server!

There are also other tests that FormMail does apart from the items mentioned above. We've only listed the detections that apply to real people submitting your forms. Spammers use other mechanisms that real people can't use, and FormMail detects those too.

Not really. The information we've provided here is readily available because FormMail is a free product. Any website owner, and any spammer, can download it and see how it works.

More importantly, individual website owners can customize or configure the attack detection for their own requirements. This means that every FormMail installation may be different. So, one spam attack will not work on every website.

Furthermore, as we said above, spammers cannot do the impossible. We've designed the attack tests in FormMail so that even if a spammer gets a form submission to occur, they probably cannot send any useful information in the message. So, they are better off looking for poorly written and unmaintained form processors and leave a Tectite FormMail installation alone!