Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms

ATTACK_DETECTION_JUNK Setting

This page documents the ATTACK_DETECTION_JUNK configuration setting in FormMail.

Type Of Setting

ATTACK_DETECTION_JUNK is an OPTIONAL setting, which means...

OPTIONAL : you can change this setting if you need to, but the default value is fine for most circumstances.

Précis

Controls junk attack detection.

Description

Set ATTACK_DETECTION_JUNK to true if you want to enable FormMail's attack detection to check for the "junk attack".

This feature has been available since version 8.14 of FormMail.

Starting in 2008, spammers appear to have started sending spam and submitting form spam containing only junk.

Here's an example of the type of junk they send:

Name: sjldespkzx
Phone: BxeiikgNmCnMt
Fax: yEFCQJwYfcGIOEaSc
Message: X9Gdzt 

Often, this junk includes one or more URLs (even these can be junk URLs), and, therefore, can be detected using the ATTACK_DETECTION_MANY_URLS feature.

However, sometimes there is no method of detection other than the ATTACK_DETECTION_JUNK feature.

Our research indicates that this "junk attack" is designed to poison spam filters. It seems to have no other useful purpose, as the junk cannot be understood by a human being (i.e. you, the website owner).

To a website owner receiving this junk, it's annoying but otherwise appears harmless.

How Does Junk Attack Detection Work?

The detection process looks for long sequences of consonants (e.g. "bhdjcdz") and long sequences of vowels (e.g. "oaiua"). In general, this works for English because there are very few words in common use with more than 5 consecutive consonants or 4 consecutive vowels.

In contrast, the junk being sent by spammers does have long sequences of these letters.

Because of the way the detection works, it's possible that a perfectly valid form submission from a real human could be rejected.

For example, if you enabled ATTACK_DETECTION_JUNK in it's default setting, and someone submitted the message:

    Aaaarrrrgh!  Your website doesn't tell me what I
    need to know.

their submission would be rejected as junk (4 consecutive vowels: Aaaa and 6 consecutive consonants: rrrrgh)!

This false detection is an unavoidable consequence of the input that some users will make. For this reason, FormMail's attack detection message page tells them what it doesn't like in their submission, and they can try again.

To reduce the occurrence of false detections, we've also implemented a "strip list" that attempts to prevent common but unusual words from triggering the detection.

For example, the word "queue" has 4 consecutive vowels. It's very unusual to have this many consecutive vowels, and, yet, it's a very common English word.

How Do I Configure Junk Attack Detection?

By default, the "junk attack" detection is disabled. We chose this default because it's possible to get false detections, especially if your website visitors send you technical or scientific terms or if they speak a language other than English.

For example, if you have a travel website, and someone from the USA wanted to enquire about the Welsh town "Aberffrwd", the default settings for ATTACK_DETECTION_JUNK may trigger a false detection (6 consecutive consonants: rffrwd).

Before enabling junk attack detection, we recommend you use this checklist:

  1. Do your website visitors primarily use English? If not, consider the attributes of the language in question. For example, German seems to have a lot of words with long sequences of consonants. In this case, you may need to increase the ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS and/or ATTACK_DETECTION_JUNK_CONSEC_VOWELS setting.
  2. Is your website about scientific or technical terms? For example, if someone wanted to send you a message about XDDCMP (that's the acronym for External Digital Data Communications Message Protocol), that would detect as junk. In this case, you might want to add your technical terms to the $ATTACK_DETECTION_JUNK_LANG_STRIP list.

    (Note that website URLs and email addresses are technical terms.)

    So, if you ask for technical terms in fields, include the field names in the $ATTACK_DETECTION_JUNK_IGNORE_FIELDS list.

    From version 9.23, FormMail automatically detects some technical fields. Field names beginning or ending with "email", ending with "check", "url", or "email", and the field "tectiteformid" are ignored.
  3. Do your website visitors like to abbreviate, or, perhaps, they cannot spell (e.g. a website for people with learning difficulties)? In this case, you might want to add the common abbreviations to the $ATTACK_DETECTION_JUNK_LANG_STRIP list or choose not to use the junk attack detection feature.

To enable junk attack detection, simply set ATTACK_DETECTION_JUNK to true:

define("ATTACK_DETECTION_JUNK",true);

Next, test your forms by entering junk to ensure the detection is operating. By default, there needs to be 2 occurrences of junk to trigger the detection.

Finally, test your forms with typical input to ensure that your website visitors can actually submit forms successfully.

We also recommend that you enable ALERT_ON_ATTACK_DETECTION for a time so that you can monitor the junk attack detection operation (and other attack detection too).

Controlling Junk Attack Detection

There are several settings you can use to further control the junk attack detection feature.

ATTACK_DETECTION_JUNK_CONSONANTS

provides the list of letters that are to be considered as consonants. You can add to this list to detect junk being sent in languages other than English.

ATTACK_DETECTION_JUNK_VOWELS

provides the list of letters that are to be considered as vowels. You can add to this list to detect junk being sent in languages other than English.

ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS

specifies the number of consecutive consonants that will count as junk.

ATTACK_DETECTION_JUNK_CONSEC_VOWELS

specifies the number of consecutive vowels that will count as junk.

ATTACK_DETECTION_JUNK_TRIGGER

specifies the number of instances of junk that need to be detected in the one form submission before the submission is rejected as junk. Increasing this value makes the detection less sensitive (fewer false detections, but might detect less junk), and decreasing it makes it more sensitive (more false detections, but might detect more junk).

$ATTACK_DETECTION_JUNK_LANG_STRIP

this provides a list of letter sequences that should be stripped from the form submission before running the junk attack detector. Note that the submission data you'll receive is unchanged, only the data passed to the junk detector is stripped.

Note: if you add to this list, we recommend you include a comment to indicate why you've added the sequence - for example, show a word that you're allowing to pass the detector.

Also, when adding to this list, first search for the words that will be affected (allowed through) using a web search tool such as www.onelook.com.

$ATTACK_DETECTION_JUNK_IGNORE_FIELDS

this provides a list of fields that will be ignored during the attack detection process.

FormMail automatically ignores special fields (except "realname" and "subject").

If you have fields that request technical terms (scientific, or web information such as URLs and email addresses), you need to add those field names into this list to avoid junk detection triggering on valid values.

This setting is available from version 8.16 of FormMail.

Avoiding Problems

FormMail doesn't look for junk in special fields. These are the fields that allow your HTML form to control how FormMail operates. For example "recipients", "good_template", "subject".

These are generally hidden fields on your form, and often contain technical information or abbreviations.

From version 8.16, we've added two exceptions: "realname" and "subject" are FormMail special fields, but are included in the junk detection process.

However, if you have other hidden fields with special information in them that FormMail doesn't know about (i.e. they are hidden fields but not FormMail special fields) this information will be treated as user input and could trigger a false detection.

To avoid this problem, make sure your hidden fields avoid abbreviations. Alternatively, add the words you're using to the $ATTACK_DETECTION_JUNK_LANG_STRIP list or your field names to $ATTACK_DETECTION_JUNK_IGNORE_FIELDS.

Another trap (which even we've fallen into on one occasion!) is to have a special field, such as "good_template", with an abbreviation like "mygoodtmplt.htm" in its value, and then temporarily rename the field to "xgood_template". This stops it from being a special field, and will contribute to a junk attack detection. So, the lesson to learn from this is that if you want to disable your special fields, use HTML comments (<!-- ... -->).

Also, when you enable ATTACK_DETECTION_JUNK, make sure you test your forms by submitting junk to see what values are triggering the detection and also test your forms by submitting normal user input. FormMail can send you an alert about junk detection, if you enable ALERT_ON_ATTACK_DETECTION.

Searching For Valid Words That Trigger Detection

A great resource we've used in developing the junk attack detection is the word search feature at www.onelook.com.

This site allows you to search for words using wildcard searches. For example, enter this search term to find all words with 6 consecutive consonants: *######*

Similarly, to search for words with 5 consecutive vowels: *@@@@@*

Default Value

From version 9 onwards:

$ATTACK_DETECTION_JUNK = false;
    $ATTACK_DETECTION_JUNK_CONSONANTS = "bcdfghjklmnpqrstvwxz";
    $ATTACK_DETECTION_JUNK_VOWELS = "aeiouy";
    $ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS = 5;
    $ATTACK_DETECTION_JUNK_CONSEC_VOWELS = 4;
    $ATTACK_DETECTION_JUNK_TRIGGER = 2;
    $ATTACK_DETECTION_JUNK_LANG_STRIP = array(
            .... 
            );
    $ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array();
    

Before version 9:

define("ATTACK_DETECTION_JUNK",false);
    define("ATTACK_DETECTION_JUNK_CONSONANTS","bcdfghjklmnpqrstvwxz");
    define("ATTACK_DETECTION_JUNK_VOWELS","aeiouy");
    define("ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS",5);
    define("ATTACK_DETECTION_JUNK_CONSEC_VOWELS",4);
    define("ATTACK_DETECTION_JUNK_TRIGGER",2);
    $ATTACK_DETECTION_JUNK_LANG_STRIP = array(
            .... 
            );
    $ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array();
    

Examples

From version 9 onwards:

$ATTACK_DETECTION_JUNK = true;
$ATTACK_DETECTION_JUNK_CONSONANTS = "bcdfghjklmnpqrstvwxz";
$ATTACK_DETECTION_JUNK_VOWELS = "aeiouy";
$ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS = 6;
$ATTACK_DETECTION_JUNK_CONSEC_VOWELS = 5;
$ATTACK_DETECTION_JUNK_TRIGGER = 3;
$ATTACK_DETECTION_JUNK_LANG_STRIP = array(
        .... 
        );
$ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array(
        "other_email_address",
        "website_url",
        );
    

Before version 9:

define("ATTACK_DETECTION_JUNK",true);
define("ATTACK_DETECTION_JUNK_CONSONANTS","bcdfghjklmnpqrstvwxz");
define("ATTACK_DETECTION_JUNK_VOWELS","aeiouy");
define("ATTACK_DETECTION_JUNK_CONSEC_CONSONANTS",6);
define("ATTACK_DETECTION_JUNK_CONSEC_VOWELS",5);
define("ATTACK_DETECTION_JUNK_TRIGGER",3);
$ATTACK_DETECTION_JUNK_LANG_STRIP = array(
        .... 
        );
$ATTACK_DETECTION_JUNK_IGNORE_FIELDS = array(
        "other_email_address",
        "website_url",
        );
    

See Also