Setting Up the ScriptView the source code for this ASP script.
In order for the ASP script to work, some configuration variables need to be set. These are defined at the beginning of the code.
Here is a view of the code with some typical values. The parameters are described in detail below.
mailComp = "ASPMail" smtpServer = "mail.example.net" fromAddr = "email@example.com" allowedHosts = Array("www.example.net", "example.net") allowedRecipients = Array("firstname.lastname@example.org", "email@example.com") allowedEnvars = Array("HTTP_USER_AGENT", "REMOTE_ADDR", "REMOTE_USER") allowCcToFlag = true botCheckFlag = false botCheckID = "MyBotCheckID" botCheckMinTime = 5
|FormMail Configuration Variables|
||Must be set to one of "ASPMail", "CDONTS", "CDOSYS" or
"JMail". These are the four email components that the script recognizes and
can use for sending email.
If your web host does not support any of these, you will need to add your own coding to use whatever is available to you.
||The hostname of your SMTP server. This is required for all the supported email components except CDONTS. Check with your host provider to determine what you should set this to.|
||This email address will be used as the sender address for
the email created by the script.
Many web hosts do not allow email to be sent from their systems without a valid
||An array of web host names. This is used to prevent other
sites from using your site to send email. Basically, it should match what's
in your website address between the "http://" and the next "/" character.
An array value is used so that you can include multiple sites and variations, such as "www.example.net" and "example.net". You can even include IP addresses.
If left empty:
allowedHosts = Array()any referering site will be allowed.
||An array of email addresses that are permitted in the
If left empty, any email address may be specified as a recipient via the
||An array of environment variable names that are permitted
If left empty, any environment variable can be displayed via the
||When set to
||These three parameters are used to help prevent automated submissions often used by spammers. This requires the use of ASP code in the submitting form or forms. See below for details.|
mailComp parameter to identify the component used to
send email on your host. The script has been designed to work with four of the
most common ASP email components available.
If your host does not use any of these, you'll need to modify the script to add support for your particular situation. You should check with your host administrator or technical support personnel to find out what is supported on your site and the correct parameters needed to use it.
Security and Anti-Spam Feature Configuration
The script is designed with a some features to help prevent unauthorized use. For instance, some one could create a form on their own site that POSTs its data to your Form Mail script.
<!-- Form located at http://www.otherdomain.com/contact.html --> <form action="http://www.yourdomain.net/scripts/formmail.asp" method="post"> <div> <input name="_recipients" type="hidden" value="firstname.lastname@example.org" /> ... </div> </form>
To help prevent this, you can use the
allowedHosts to only
allow submissions via forms located on your own site (or sites). The script
does this by checking the HTTP_REFERER header on the request. If the host name
derived from that does not match one found in the list, it generates an
allowedHostslist empty and rely on some of the other security measures instead.
allowedRecipients lets you define an explicit list of email
addresses that the form data can be sent to. This probably the best option to
prevent spamming as it limits where any email will be sent.
You still specify who the email for a particular form goes to in the
_recipients control field on that form, but the script will
generate an error message if any of those addresses does not appear in this
allowedEnvars is similar in that it limits what environment
variables will be displayed via the
_envars control field. It
differs, however, in that it will not generate an error message if a disallowed
environment variable is requested. Instead, it simply does not include it in
You can leave the list empty to permit any requested environment variable to be displayed, but some contain information about your site configuration so its advisable to specifically list only those that you plan to use.
Preventing Abuse of the CC Option
Within a form, the
_ccToField control field can be used to
CC the user a copy of the email. Since a spammer could potentially use this to
send email to arbitrary addresses, you have the option of disabling the feature
If you disallow the feature, the use of
_ccToField in a
submitting form will generate an error message.
The last set of parameters is intended to prevent the type of automatic submissions often used by spammers. Typically, a spammer will find a script such as this one on some web site, then set up a program that simulates submitting form data to it just as a web browser would. Except that the bot program is much faster and iterates through a long list of email addresses with each submission.
To use the bot checking feature, you need to set
true. Then pick a name for
botCheckID, it can be
anything, but you'll need to use it on your form (or forms) as well. The
botCheckMinTime should be set to some positive number.
Any form you wish to use with the form mail script with will need to be
an ASP page. Within each form, add a line to set a session variable (using
the same name selected for
botCheckID) with the current time:
<% Session("MyBotCheckID") = Now() %>
Now, when the form mail script gets a request, it will look for that session
variable. If it has not set, it will generate an error message. If it has been
set, it will take the recorded time and compare it to the current time to
determine how many seconds have elapsed since the form page was loaded by the
user. If the time difference is less than whatever number
botCheckMinTime is set to, the request is rejected.
So basically, it's checking for human-like behaviour. A user loads the form in the browser, spends some time filling it out, then submits it. This is unlike a typical spam bot which simply submits data directly to the form processing script. Even if a bot does load the form first, it is unlikely to wait several seconds before submitting the form data to the script.
The main downsides to this technique is that users must accept cookies from your site (because ASP session state needs to use a cookie to uniquely identify each session), the submitting form must be an ASP page (in order to set the session variable) and both the submitting form and the form mail script must be on the same web server (which is usually the case, but not always).