Small company develops new way to stop form spam
- 19 May, 2009 03:18
Spam isn't just a problem for people with e-mail addresses, but also for companies and organizations running Web sites with various types of feedback forms.
Automated bots troll the Internet for forms, automatically filling them out with rubbish information. Form data often goes to Web-site employees' e-mail addresses for sorting later.
Many companies also collect marketing leads through forms that feed directly into databases, which then get gummed up with Viagra pitches instead of potential customers.
But a four-person company in Dallas has come up with a Web-based service called Form Armor that blocks Web-form spam.
The service is similar to a payment gateway, said Larissa Reynolds, who founded Form Armor with her husband, Chris. Once a Web site is configured to use it, form data is encrypted and sent to Form Armor for real-time analysis.
Form data is ranked as either good, bad or ugly, which means the submission contains some sort of malware or SQL injection attack. Good form data is passed on to the client, while bad and ugly data is blocked.
Form Armor has spent seven years tweaking its technology to accurately identify form spam.
"We've been able to go through mounds and mounds of data to develop this algorithm that can detect what is abuse and what is legitimate," Reynolds said.
Form Armor costs US$9 per Web site per month, no matter how many forms. A more advanced API (Application Programming Interface) is available for $29 per Web site per month.
The API, which works with PHP, ASP.net, ASP and soon DotNetNuke, allows administrators to control how all form data is stored, no matter if it's been deemed good, bad or ugly.
However, "most clients don't want to look at" the bad and ugly data, Reynolds said.
Form Armor is offering its service as an alternative to the CATPCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), a rapidly weakening Web-site defense mechanism.
The jumbled puzzles are intended to thwart computers from being able to automatically register for free e-mail addresses, post comments to Web sites and perform other submissions but is increasingly failing.
Computers have become better at solving the puzzles.
Also, spammers have created systems where real humans solve the CAPTCHAs. Reynolds said she saw one spam form submission where someone who was apparently employed to fill out the form became frustrated and wrote: "Why oh why do I have to go to this country to do this."
Reynolds is coy about how Form Armor's technology works aside from that it uses an algorithm. Spammers are none the wiser to sites using Form Armor: the processing is on the server side, and all form data appears to be processed normally, even if Form Armor blocked it.
Reynolds says false positives -- where legitimate form data is blocked -- are rare.
Although the technology is being used for form data now, it could be extended to free e-mail platforms run by companies such as Google or Yahoo, Reynolds said.
Form Armor will not reveal how many customers it has, but one of its latest ones has been pleased.
Urbanity Studios is a Web-based business that specializes in customized stationary. As the site's traffic has grown, more spam has come through the forms on the site, said Micki Ahrens, marketing director.
The most problematic one was the "Tell a friend" form, which would route a message from a person through Urbanity Studios to someone else's e-mail address.
Ahrens said the company knew something was awry when it began receiving hundreds of bouncebacks, or notifications of undeliverable messages. It's a indicator that a spammer has routed messages to e-mail addresses that don't exist, with the bad ones landing back on Urbanity Studios' doorstep.
It got so bad that "we were blacklisted" for a while by Barracuda Networks, a company that makes e-mail and Web security appliances, Ahrens said.
The problem has now ended. Urbanity Studios has been using the $9-a-month version of Form Armor since the beginning of April.
Since then, very few spam messages have come through, Ahrens said. False positives have likely been very low, since the company's customers tend to complain via its free phone number if there is some problem with the Web site, she said.