Good Pattern for a response form

On Fri, 11 Mar 2005 21:55:50 GMT,
Rick Cook <rc****@TAKEOUT.mindspring.com> posted:

I would like to do a response form on one of my sites instead of posting
an e-mail address for spammers. I've taken a couple of examples from
sites, but the code looks clunky and non-conformant to my inexperienced eye.

Also, on the sites I've found you can get the e-mail address simply by
viewing the page source. It seems to me there should be a way to hide
that, but as I say I'm hardly an expert.
Look at the NMS replacements for Matt Wright's forms. They allow you to
specify an alias for the recipient in the form, and the script uses that
alias to work out which address to post to (you configure a table of
aliases and addresses in the script).
Can anyone recommend a good site to use as a pattern? Needless to say,
I'd like it to be as easy to maintain and standards compliant as possible.

That rather depends on what you want on the form. Such as answering
questions, writing messages, etc. But what sort maintenence do you need
on a form once you've written it?

A valid, and logical way, of structuring parts of forms is to use the
proper form elements, as set out in the specifications, perhaps with a
few extra formatting elements and CSS to neaten things up, and avoiding
using tables. For example:

<form action="/cgi-bin/FormMail.pl" method="post" accept-charset="us-ascii, iso-8859-1">

<fieldset>
<legend>Why did you visit this site?</legend>

<div class="multiplechoice">
<label><input type="checkbox" name="visit_reason" value="Boredom"> I needed more excitement in my life</label><br>
<label><input type="checkbox" name="visit_reason" value="Broken PC"> Trying to fix my PC</label>
</div>
</fieldset>

<fieldset>
<legend>Did the site work properly?</legend>

<div class="multiplechoice">
<label><input type="radio" name="site_okay" value="Yes"> Yes</label><br>
<label><input type="radio" name="site_okay" value="No"> No</label><br>
<label><input type="radio" name="site_okay" value="Don't know"> Don't know</label><br>
<label><input type="radio" name="site_okay" value="No answer" selected> No comment</label>
</div>
</fieldset>

<fieldset>
<legend>Your details</legend>

<div>
<label for="name">Name:</label><br>
<input type="text" name="realname" id="name" size="50" maxlength="70">
</div>

<div>
<label for="address">E-mail address:</label><br>
<input type="text" name="email" id="address" size="50" maxlength="70">
</div>
</fieldset>

<fieldset>
<legend>Message details</legend>

<div>
<label for="subject">Subject:</label><br>
<input type="text" name="subject" id="subject" size="50" maxlength="70" value="survey form response">
</div>

<div>
<label for="message">Message:</label><br>
<textarea name="message" id="message" cols="50" rows="20"></textarea>
</div>
</fieldset>

<fieldset>
<legend>Action</legend>

<div>
<input name="recipient" value="webmaster" type="hidden">
<input type="hidden" name="redirect" value="/response.html">
<input type="submit" value="Send"> your comments.
</div>
</fieldset>

</form>

Notes:
-----
1. My "multiplechoice" CSS class was there to play with margins/fonts.
2. I've deliberately made the message area big enough to write a message
without it being a pain.

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.

On Fri, 11 Mar 2005 21:55:50 +0000, Rick Cook wrote:

I would like to do a response form on one of my sites instead of posting
an e-mail address for spammers. I've taken a couple of examples from
sites, but the code looks clunky and non-conformant to my inexperienced eye.

Also, on the sites I've found you can get the e-mail address simply by
viewing the page source. It seems to me there should be a way to hide
that, but as I say I'm hardly an expert.

Can anyone recommend a good site to use as a pattern? Needless to say,
I'd like it to be as easy to maintain and standards compliant as possible.

--RC

A very simple method, that I am sure will be worked around by the spam
harvesters, is to replace the characters in the email address with their
letter codes. for example, rather than ca*****@marenger.com, use:
%63%61%72%6F%6C%79%6E%40%6D%61%72%65%6E%67%65%72%2 E%63%6F%6D. This
displays and if used in a link works fine, but in theory makes it just a
little harder for a harvesting script to find.

In my case, I use spam assassin, and even with my email address posted I
am only receiving 1 or 2 spam messages in any given week.

Carolyn

On Sat, 12 Mar 2005, Carolyn Marenger wrote:

A very simple method, that I am sure will be worked around by the spam
harvesters, is to replace the characters in the email address with their
letter codes.
Don't waste time concentrating on the wrong issue.

Any response script which permits an arbitrary email address to be
specified from a form submission as a destination is functionally a
spamming gateway, and will get your site blacklisted in due course.

If you have a limited menu of contact addresses on the server side,
then they can be specified by a nickname from the script, without
revealing the true email address. Read the notes that come with the
NMS re-engineered formmail script. Although you'll find that many
hosters will refuse to host anything whose name resembles "formmail"
(the spammers are permanently scanning for them).
In my case, I use spam assassin, and even with my email address
posted I am only receiving 1 or 2 spam messages in any given week.

Well, I'm assistant postmaster, so anyone who spams me is assured of
being blocked from the whole department (in fact I just reported one
to the central postmaster, so that'll be blocked from the whole
campus).

cheers

On Sat, 12 Mar 2005 12:32:29 +0000,
"Alan J. Flavell" <fl*****@ph.gla.ac.uk> posted:

If you have a limited menu of contact addresses on the server side,
then they can be specified by a nickname from the script, without
revealing the true email address. Read the notes that come with the
NMS re-engineered formmail script. Although you'll find that many
hosters will refuse to host anything whose name resembles "formmail"
(the spammers are permanently scanning for them).

But you can rename the script...

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.

On Sun, 13 Mar 2005, Tim wrote:

On Sat, 12 Mar 2005 12:32:29 +0000,
"Alan J. Flavell" <fl*****@ph.gla.ac.uk> posted:

If you have a limited menu of contact addresses on the server side,
then they can be specified by a nickname from the script, without
revealing the true email address. Read the notes that come with the
NMS re-engineered formmail script.
Just a routine remark at this point that this sub-thread is way off
topic for the stylesheets group, so the lurkers should not go off
thinking they've heard everything they need to know about the topic.
This is serious stuff, and can get you blacklisted if you don't know
what you're doing, so please go and get advice in an appropriate
place if you're planning to do this.

Meantime, back to Tim:
Although you'll find that many hosters will refuse to host
anything whose name resembles "formmail" (the spammers are
permanently scanning for them).

But you can rename the script...

You might keep your service provider quiet for a while, if you called
it something different from the names that are routinely searched for.
But if the script isn't properly designed and set up (see above), it
still might act as an open mail proxy, and a determined spammer might
find it and (ab)use it. Any contact form is potentially at risk.
Make it bulletproof: "security by obscurity" only goes so far (which
isn't far enough!).

"Alan J. Flavell" <fl*****@ph.gla.ac.uk> posted:

Although you'll find that many hosters will refuse to host
anything whose name resembles "formmail" (the spammers are
permanently scanning for them).

Tim wrote:
But you can rename the script...

"Alan J. Flavell" <fl*****@ph.gla.ac.uk> posted:
You might keep your service provider quiet for a while, if you called
it something different from the names that are routinely searched for.

I was thinking of the situation of using a better script, like the NMS one
used in a sensible manner, and renaming it to avoid the ire of idiot hosts
who just want to outlaw something called formail regardless of what it
actually was.

Interestingly, as I use the NMS script in that manner myself, I notice my
web logs show attempts to find other well-known bad scripts from time to
time, but they don't look for that one.

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.

On Sun, 13 Mar 2005, Tim wrote:

I was thinking of the situation of using a better script, like the
NMS one used in a sensible manner, and renaming it to avoid the ire
of idiot hosts who just want to outlaw something called formail
regardless of what it actually was.
That's what I thought - I just wanted to spell it out...
Interestingly, as I use the NMS script in that manner myself, I
notice my web logs show attempts to find other well-known bad
scripts from time to time,
No surprises there. I guess every publicly-accessible web server's
log has examples. I know all of ours log them. I think this is even
one of nessus standard tests, isn't it?[1] (Don't try this at home,
kids: running nessus against someone else's server would be a criminal
offence in many jurisdictions.)
but they don't look for that one.

As long as there are easy pickings elsewhere, they don't need to.
But if the script /was/ insecure (I accept that in your case it
isn't), then it only takes one spammer to find it. For example by
spotting the contact form which invokes it.
[1] http://www.nessus.org/plugins/index....ingle&id=10076

Rick Cook wrote:

I would like to do a response form on one of my sites instead of posting
an e-mail address for spammers. I've taken a couple of examples from
sites, but the code looks clunky and non-conformant to my inexperienced
eye.

Whether or not it's posted on the web, you're going to need
spam-protection on the email address -- spammers will almost certainly
find it eventually. Given that, does it really make sense to force
people to jump through hoops to contact you?

Even in those rare cases where a 'response form' avoids using a
postage-stamp sized text-entry area, it still provides an extremely
feature-poor interface compared to the user's email client -- which
often makes the experience of using it a very frustrating and unpleasant
one. Even if it were somehow made as feature-rich as the user's usual
mailer it would still be *different* -- and therefor harder for them to
use because they have to override their habitual ways of composing a
message. On top of that most such forms don't provide a copy of the
message to the sender (and even if they did they have no way to put it
wherever the sender normally stores outgoing messages).

Look at it from the user's point of view: would you really want to deal
with an organization which has (by its actions) clearly stated up front
that your convenience is of no importance to it? Think about what this
implies for attempts to resolve any future problems.

When faced with this sort of crap, I'll frequently go looking for a
competitor whose website isn't so badly brain-damaged. I doubt if I'm
alone.

Dave

In message <Gt****************@newsread3.news.pas.earthlink.n et>, Rick
Cook <rc****@TAKEOUT.mindspring.com> writes

I would like to do a response form on one of my sites instead of posting
an e-mail address for spammers. I've taken a couple of examples from
sites, but the code looks clunky and non-conformant to my inexperienced
eye.

Also, on the sites I've found you can get the e-mail address simply by
viewing the page source. It seems to me there should be a way to hide
that, but as I say I'm hardly an expert.

Can anyone recommend a good site to use as a pattern? Needless to
say, I'd like it to be as easy to maintain and standards compliant as
possible.

--RC

I use a simple javascript routine to write the address in DHTML - so far
my mother's email has been on the web over a year - and she gets no
spam! (She does not post to newsgroups!)
Its nothing fancy - just stick this where the mailto: used to go (change
the
user and place fields as required).

<script language="JavaScript" type="text/javascript">
<!-- //blocks indexing by harvesters
user = "user";
place = "mydomain.co.uk";
document.write('<a href=\"mailto:' + user + '@' + place + '\">');
document.write(user + '@' + place + '<\/a>');
// -->
</script>

Regards

Ian

--
Ian - posting to a Newsgroup. Please remove everything to reply.