‘Contact Us’ page

How a user can contact the administration of a web site? Usually every web site has a ‘contact us’ page with the contact details of people in charge. Moreover, this is not really convenient. A user has to start his mail client, to make sure the address of the recipient is correct, to make sure the mail account (if he/she has many) is correct, and to add the subject and so on.

Those people who have no mail client program installed (probably, millions including my mother and sister) have to log in to their HOTMAIL or YAHOO accounts and compose a letter. In addition, the spammers have those programs that scan the Internet to collect e-mail addresses. Very soon, the owners of the web site start receiving hundreds and thousands of spam letters. Moreover, the important letter from the customer can be deleted accidentally by the person in charge or by the sophisticated ‘anti-spam’ program.

As you can see a regular ‘contact us’ page with an e-mail specified is pain in the arse for everyone involved. What is the proper way to go? A custom form made specifically to serve the guests and the administration of a web site will handle that simple but important task for you.

All the user has to do is to write (or select) a proper subject, his name and e-mail, write his message and hit the ‘SEND’ button. Fast and furious.

Though the form on the screenshot requires user’s e-mail address and name it is sometimes better not to require them. Instead of performing unnecessary validations and getting fake names and emails anyway, you may want to let it go.

Stop Spammers

The form is simple for a web developer, what I would like to emphasize is the potential vulnerability of the form. The spammers may use your form to perform mass mailing campaigns on behalf of your server. The rule number one here is to make sure the user information is never set to the headers of the generated e-mail address. Your code MUST have hardcoded FROM, TO, SUBJ, CC fields. All the information from the contact form MUST be written to the body of the message. Additionally you may want to filter it against HTML and JavaScript tags, though some may see this is paranoid.

Stop Spam

Additionally you may want to stop people from spamming the mailbox that receives the contact form messages. Some web developers add CAPTCHA (a picture of random numbers) to the contact form. Personally I hate CAPTCHAs, it is such a pain to ‘guess’ what is written there. In addition, any advanced spammer will get around it: they use XXX sites with photos and your CAPTCHA in a frame. Moreover, in order to see the next photo, the XXX maniac deciphers your CAPTCHA. Nice approach.

I prefer filtering the user’s input on the server side against a list of well-known words such as ‘stock’ or ‘Viagra’ words. Just make sure your users do not need to submit this information for your site.

Conclusion

And there is a rule number two for every web developer when defending your web site: be quiet. It is so tempting sometimes to give an ironic feedback – do not do that. Silence is the secret weapon here. Let your code do nothing or react with a regular response.

Good luck!

This entry was posted on Friday, April 6th, 2007 at 11:26 am and is filed under Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.