Bookmark and Share

ASP FormMail

Setting Up the Script

View the source code for this ASP script.

In order for the ASP script to work, some configuration variables need to be set. These are defined at the beginning of the code.

Script Parameters

Here is a view of the code with some typical values. The parameters are described in detail below.

mailComp   = "ASPMail"
smtpServer = "mail.example.net"
fromAddr   = "guest@example.net"

allowedHosts      = Array("www.example.net", "example.net")
allowedRecipients = Array("comments@example.net", "support@example.net")
allowedEnvars     = Array("HTTP_USER_AGENT", "REMOTE_ADDR", "REMOTE_USER")

allowCcToFlag = true

botCheckFlag    = false
botCheckID      = "MyBotCheckID"
botCheckMinTime = 5
FormMail Configuration Variables
Variable Name Description
mailComp Must be set to one of "ASPMail", "CDONTS", "CDOSYS" or "JMail". These are the four email components that the script recognizes and can use for sending email.

If your web host does not support any of these, you will need to add your own coding to use whatever is available to you.
smtpServer The hostname of your SMTP server. This is required for all the supported email components except CDONTS. Check with your host provider to determine what you should set this to.
fromAddr This email address will be used as the sender address for the email created by the script.

Many web hosts do not allow email to be sent from their systems without a valid From address in order to discourage spamming. In any case, you should always use a valid email address for your own site.
allowedHosts An array of web host names. This is used to prevent other sites from using your site to send email. Basically, it should match what's in your website address between the "http://" and the next "/" character.

An array value is used so that you can include multiple sites and variations, such as "www.example.net" and "example.net". You can even include IP addresses.

If left empty:
allowedHosts = Array()
any referering site will be allowed.
allowedRecipients An array of email addresses that are permitted in the _recipients control field.

If left empty, any email address may be specified as a recipient via the _recipients control field.
allowedEnvars An array of environment variable names that are permitted in the _envars control field.

If left empty, any environment variable can be displayed via the _envars control field.
allowCcToFlag When set to true, the _ccToField control field can be used to send a copy of the email the user. When false, use of the _ccToField control field in a form will generate an error message.
These three parameters are used to help prevent automated submissions often used by spammers. This requires the use of ASP code in the submitting form or forms. See below for details.

Email Configuration

Use the mailComp parameter to identify the component used to send email on your host. The script has been designed to work with four of the most common ASP email components available.

If your host does not use any of these, you'll need to modify the script to add support for your particular situation. You should check with your host administrator or technical support personnel to find out what is supported on your site and the correct parameters needed to use it.

For more information on the supported email components, visit the vendor sites: ServerObjects (ASPMail), Microsoft (CDONTS and CDOSYS), and Dimac (JMail).

Security and Anti-Spam Feature Configuration

The script is designed with a some features to help prevent unauthorized use. For instance, some one could create a form on their own site that POSTs its data to your Form Mail script.

<!-- Form located at http://www.otherdomain.com/contact.html -->
<form action="http://www.yourdomain.net/scripts/formmail.asp" method="post">
<input name="_recipients" type="hidden" value="user@otherdomain.net" />

To help prevent this, you can use the allowedHosts to only allow submissions via forms located on your own site (or sites). The script does this by checking the HTTP_REFERER header on the request. If the host name derived from that does not match one found in the list, it generates an error message.

You should note that some browsers may omit the referer header. Or a user may be behind a firewall or proxy that removes the referer header from the request. This would prevent those users from using your form. To avoid this, you can leave the allowedHosts list empty and rely on some of the other security measures instead.

allowedRecipients lets you define an explicit list of email addresses that the form data can be sent to. This probably the best option to prevent spamming as it limits where any email will be sent.

You still specify who the email for a particular form goes to in the _recipients control field on that form, but the script will generate an error message if any of those addresses does not appear in this list.

allowedEnvars is similar in that it limits what environment variables will be displayed via the _envars control field. It differs, however, in that it will not generate an error message if a disallowed environment variable is requested. Instead, it simply does not include it in the email.

You can leave the list empty to permit any requested environment variable to be displayed, but some contain information about your site configuration so its advisable to specifically list only those that you plan to use.

Preventing Abuse of the CC Option

Within a form, the _ccToField control field can be used to CC the user a copy of the email. Since a spammer could potentially use this to send email to arbitrary addresses, you have the option of disabling the feature by setting allowCcToFlag to false.

If you disallow the feature, the use of _ccToField in a submitting form will generate an error message.

Bot Checking

The last set of parameters is intended to prevent the type of automatic submissions often used by spammers. Typically, a spammer will find a script such as this one on some web site, then set up a program that simulates submitting form data to it just as a web browser would. Except that the bot program is much faster and iterates through a long list of email addresses with each submission.

To use the bot checking feature, you need to set botCheckFlag to true. Then pick a name for botCheckID, it can be anything, but you'll need to use it on your form (or forms) as well. The botCheckMinTime should be set to some positive number.

Any form you wish to use with the form mail script with will need to be an ASP page. Within each form, add a line to set a session variable (using the same name selected for botCheckID) with the current time:

<% Session("MyBotCheckID") = Now() %>

Now, when the form mail script gets a request, it will look for that session variable. If it has not set, it will generate an error message. If it has been set, it will take the recorded time and compare it to the current time to determine how many seconds have elapsed since the form page was loaded by the user. If the time difference is less than whatever number botCheckMinTime is set to, the request is rejected.

So basically, it's checking for human-like behaviour. A user loads the form in the browser, spends some time filling it out, then submits it. This is unlike a typical spam bot which simply submits data directly to the form processing script. Even if a bot does load the form first, it is unlikely to wait several seconds before submitting the form data to the script.

The main downsides to this technique is that users must accept cookies from your site (because ASP session state needs to use a cookie to uniquely identify each session), the submitting form must be an ASP page (in order to set the session variable) and both the submitting form and the form mail script must be on the same web server (which is usually the case, but not always).