This How-To guide describes how to use FormMail to send an automatic email to users submitting your forms.
You can use the Auto Responder feature to send a receipt or other confirmation to your customers.
The Dangers of Auto Responding
Think about your forms for a moment. Anyone can visit a form on your website and enter someone else's email address and press submit.
Let's call this person Sam (Sam is a spammer).
This doesn't usually happen because there's no benefit to Sam in doing this.
Now imagine that when a form is submitted on your website you automatically send an email to the email address that was entered. If the email just has some fixed text on it (such as "Thanks for your form submission"), then there's no (or not much) harm done. Sam still cannot benefit from this.
But now let's suppose the email you send has some information that Sam has entered on your form. Here's what happens:
- Sam enters Mary's email address on your form.
- Your form also asks for some other details, but instead of
providing those, Sam types these things into your form:
- "Buy my product now, it's really good!"
- "Visit http://www.samsgoodproducts.biz/"
- Sam clicks submit and your website sends Sam's spam to Mary!
Your website has become a spam gateway and you're going to get blamed for it!
Spammers like Sam don't sit at a browser and type information into your form and click submit.
No, instead they write a program that uses your spam gateway to send thousands of spam emails around the world. The spamming is automated.
Preventing Your FormMail From Being a Spam Gateway
First, let's be absolutely clear.... If you use any Form submission program to Auto Respond, it's impossible to be 100% spammer proof.
However, using a CAPTCHA technique you can reduce the likelihood of your forms becoming spam gateways.
Furthermore, by using the logging features within FormMail, you can monitor and detect spammer activity.
Our FormMail can be used to Auto Respond with a template, but it will only do so when the user has proven that they are human and not an automated computer program.
From version 8.20, FormMail can be used with a fixed file Auto Response provided you've implement Reverse Captcha.
Reverse Captcha is not as secure against targeted automated attacks as normal Captcha, therefore we reduce the incentive for spammers by insisting that only a fixed message can be sent as a auto-response.
The advantage of Reverse Captcha is that humans are not inconvenienced by having to prove they are human, but bots are tricked into revealing they are bots.
So, to summarize:
- implement Captcha and send a templated message
- implement Reverse Captcha and send a fixed message
Auto Responding with a Fixed Message
From version 8.20, FormMail can be used to send an Auto Response using a fixed plain text file by implementing Reverse Captcha instead of Captcha.
The steps are simple:
- Create a file on your server to contain the message you want to send.
- Configure FormMail to access that file. This means setting $TEMPLATEDIR or $TEMPLATEURL and uploading the file from step 1 to that place on your server.
- Implement Reverse Captcha on your form.
- Configure your form to tell FormMail to send an Auto Response.
To configure your form to send a fixed message Auto Response (step 4):
<input type="hidden" name="autorespond" value="PlainFile=filename,Subject=Your confirmation" />
where filename is the name of the file you created in step 1.
From version 8.31 of FormMail, you can send a fixed message Auto Response using the rich text formatting available in HTML:
<input type="hidden" name="autorespond" value="HTMLFile=filename,Subject=Your confirmation" />
where filename is the name of the file you created in step 1. However, in this case the file can contain a complete HTML document, including links and images and other formatting you can perform with HTML.
You can use both PlainFile and HTMLFile. By doing this, you can cater for users whose email programs won't display HTML properly.
The remainder of this document describes how to send a templated Auto Response, using Captcha to protect your server.
How does FormMail do CAPTCHA?
You must use our free verifyimg.php script, or a more advanced product such as reCaptcha, in conjunction with FormMail to get FormMail to Auto Respond for you using a template.
These CAPTCHA programs show the user an image with some random letters and digits. The user must type the letters and digits correctly into your form before submitting it.
Note: FormMail can use CAPTCHA to prevent incorrect or spam form submissions, as well as use it for auto responding. If you want to do both, make sure you read the corresponding section below.
Why isn't CAPTCHA Perfect?
The simplest way for a spammer to overcome a CAPTCHA scheme is to encourage (or pay) people to view the images and type the correct values.
With sufficient people doing this, a spammer can automate the process and use your forms as a spam gateway.
This has actually been done to some famous websites.
Computer programs are also getting smarter. It may be possible, soon, for a program to defeat the image scheme we've implemented. The worrying part is that you won't know until you detect it in your log files (or some unhappy person tells you you're a spam gateway)!
Finally, the other thing wrong with CAPTCHA techniques is that it can be difficult or impossible for disabled or blind people to use them and therefore use your forms.
If you simply want to provide a receipt or confirmation to the user, FormMail also supports the good_template feature. This lets you display a page in the user's browser containing some or all of the information they submitted. The user can simply print the page (and the page can even contain a print button).
You can use a fixed message Auto Response.
However, if you're still keen to progress with a templated Auto Response, the rest of this page tells you how to do it!
The following lists the steps required to get FormMail to Auto Respond for you:
- Create a template for a plain text email, a template for an HTML email, or both.
- Configure FormMail to access the templates you created.
- Install verifyimg.php on your server.
- Configure your form to show the image and allow the user to enter the text from the image.
- Configure your form to tell FormMail to send an Auto Response.
We've provided a sample form that you can use to develop your own Auto Responding forms and templates.
Steps 1 & 2 - Templates
The steps for creating plain text and HTML templates for emails is described in other How-To guides. The steps are the same for Auto Responding; just remember that the templates you're creating will contain information to be sent to the user.
For creating a plain text template, read this How-To guide.
For creating an HTML template, read this How-To guide.
Some other tips for your templates....
- Don't send the user's credit card details back to them - it's a security risk!
- To discourage spammers, don't send large amounts of information back to the user. A few confirmation fields are generally all that's required.
- In your forms, limit the size of the text that can be entered
in the fields you're going to send back to the user. For many
field types, you can use the maxlength attribute, for example:
<input type="text" name="realname" maxlength="30" />
Step 3 - VerifyImg.php
You can download verifyimg.php here.
Simply upload it to your server. Read the instructions at the top of verifyimg.php for full details. Use the verifytest.php script to confirm correct operation.
Step 4 - Add the Image to your Form
You need to insert two items into your form: an image URL and a text field.
Here's how to insert the image:
<img src="http://www.yoursite.com/verifyimg.php" alt="Image verification" name="vimg" />
Here's how to get the user's input:
<p>If you would like a confirmation email, please enter the characters you see in the image:</p> <input type="text" size="12" name="arverify" />
The text field must be named arverify. That's the special field name that FormMail will look for.
Also, read the section below about Cookies and Sessions.
Step 5 - Configure your Form for Auto Respond
The final step is to simply add a hidden field called autorespond to your form:
<input type="hidden" name="autorespond" value="PlainTemplate=arplain.txt,HTMLTemplate=arhtml.html, Subject=Your confirmation,TemplateMissing=" />
This tells FormMail to send a single email to the user with both Plain Text and HTML formats.
The subject line for the email will be "Your confirmation" and missing fields will be left blank. The Subject and TemplateMissing specifications are optional.
If you only want to send plain text in the email, leave out the HTMLTemplate option. Conversely, if you only want to send an HTML email, leave out the PlainTemplate.
Of course, the names of the template files should be the ones you created in Step 1.
Also, read the section below about Cookies and Sessions.
There are other things you can control with the "autorespond" hidden field. Please check the complete documentation for this field.
Want Better Images?
verifyimg.php is a good way to start, because it's free!
reCaptcha (now owned by Google) is a good alternative. It's also free, and doesn't rely on PHP sessions. But it does rely on an external server (apart from your own) to operate. It's also probably the most targeted CAPTCHA product for attacks.
Don't forget that FormMail can use CAPTCHA for blocking bots entirely, as well as protecting auto responses. If you want to do both, or you're already blocking bots with "imgverify", read Autoresponding and Stopping Bots at the Same Time.
Cookies and Sessions
verifyimg.php communicates the string it shows in the image to formmail.php using a PHP session. formmail.php compares this secretly passed string to the value the user types into your form.
A user without login access to your server cannot directly modify information in a PHP session (and even with login access to a properly configured server they cannot modify session information). Sessions, therefore, are the only safe way to communicate secret information around your website.
When a user's browser supports cookies, the PHP session mechanism works reliably and silently. There are several types of cookies, and the type of cookie that PHP uses has no privacy or security implications for the user.
There's no good reason for a browser not to accept the type of cookie that PHP uses for its sessions.
However, as a website developer, you cannot rely on people's browsers being correctly or sensibly configured. Some of your visitors' browsers may not accept any cookies.
If they don't accept any cookies, then the default setup we've provided in sampleautorespform.htm will not work because the PHP session will not be passed between verifyimg.php and formmail.php.
You can test this yourself by configuring your browser to block all cookies (you may need to close all copies of your browser and restart it - that's what we found with Internet Explorer) and trying the sample Auto Responding form (sampleautorespform.htm). You'll get an alert from FormMail like this:
Error=Failed to obtain authorization to send you email
For these types of visitors, you have three choices:
- Forget about them and they just won't be able to get an auto-response from your forms.
- Use the workaround we provide below and in the sample form called sampleautorespform.php.
Workaround Blocked Cookies
To workaround the problem with browsers that block cookies, you can use the other mechanism that PHP provides to transmit session information.
This does not involve any changes to verifyimg.php or to formmail.php, but you do have to convert your HTML form file to a PHP script, and make some easy changes.
It's quite easy to do this: simply rename your HTML file from ".htm" (or ".html") to ".php". That's the first step. Do that and upload it to your server. Open it with a browser (remember it will now be http://www.yoursite.com/yourform.php). You'll see that it works identically.
Next, you need to start the PHP session at the top of your form. To do this, you simply add these 3 lines at the top of the file:
<?php session_start(); ?>
You can put this just above the <html> tag.
Finally, you need to add a simple string to all the URLs involved in the Auto Responding feature. In general, there will be 2 or 3 of these:
- the URL to call formmail.php
- the URL to call verifyimg.php
The string you need to append to the URLs is:
?<?php echo SID; ?>
So, here are the 3 replacements you need to make:
- Instead of:
<form method="post" action="http://www.yoursite.com/formmail.php" ...
<form method="post" action="http://www.yoursite.com/formmail.php?<?php echo SID; ?>" ...
- Instead of:
<img src="verifyimg.php" ...
<img src="verifyimg.php?<?php echo SID; ?>" ...
document.vimg.src = "verifyimg.php";
document.vimg.src = "verifyimg.php?<?php echo SID; ?>";
With the above changes, the VerifyImg feature and your Auto Responding form should work with any browser setting.
Logging - This is Really Important!
If you're serious about protecting your server from becoming a spam gateway, then you'll want to log all Auto Responding activities that FormMail does for you.
Logging allows you to easily monitor activity and quickly determine if something is awry.
If you're ever accused of being a spam gateway, you'll have the ability to determine if it's from the Auto Responder.
Setting up Auto Responder logging is easy:
- Create a directory on your server to hold log files. This should be outside (e.g. above) your web server document root. The Auto Responder log file contains email addresses, so you don't want a spammer to steal the log file and have a list of people's email addresses!
- Create a file in that directory for your Auto Responder log.
- Configure FormMail to perform the logging.
Near line 295 (as at version 8.29), you configure FormMail for the log directory. You can review the documentation above this line for more information.
$LOGDIR = "/path/to/logfiles"; // directory for log files;...
Near line 307, you configure FormMail for the Auto Responder log file. Review the documentation above this line for more information.
$AUTORESPONDLOG = "arlog.txt"; // file name in $LOGDIR ...
Also, for protection against spammers, you may wish to limit the number of times the button can be pressed.
We've provided a sample HTML form that will perform Auto Responding with the features we've mentioned above. You can download it here.
Autoresponding and Stopping Bots at the Same Time
You can also use image verification (CAPTCHA) to stop bots from submitting your forms. There's a How-To guide about this.
If you want to do both, the one image field for autoresponding can also control bots.
To do this, you simply derive an "imgverify" field from "arverify":
<input type="hidden" name="derive_fields" value="imgverify=arverify" />
Alternatively, if you're already blocking bots with "imgverify", derive "arverify" from "imgverify":
<input type="hidden" name="derive_fields" value="arverify=imgverify" />
Read the How-To guide on deriving fields for more details about this technique.