OIT Web Center

MS FrontPage form spam blocker

Description

Web forms present the opportunity for misuse by anyone who uses your form or who can find security holes they can exploit. Groups or individuals who spread Spam advertising or computer viruses are two of the most common sources of misuse of unprotected forms.

Microsoft FrontPage forms are especially difficult to protect since form processing is done on the back end by FrontPage web bots. There are other options for protecting FrontPage forms, but they require programming knowledge and possibly additional software to be installed on the web server. The Web Services team has developed and tested a simple and straight forward modification that can be made to your form in order to protect it from misuse.

Please keep in mind no security mechanism is foolproof and this fix is no different.

Instructions

*Note: Do NOT paste the code into your page in design view, it will not work and the code will be displayed on the page.

1. Open your site with Microsoft FrontPage.
2. Open the page that includes the form you want to protect.
3. Switch to code view using tabs at the bottom of the editor window.
4. Find the following form tag in the page and insert a blank line above the tag.
   

   </FORM>

5. Copy the code from below and paste it in the blank line you just created above the </FORM> tag.
6. Save the file.

Code

<!-- BEGIN: FrontPage Spambot code (v3) - DO NOT EDIT THIS CODE -->
<!--webbot bot="Validation" s-data-type="String" b-allow-whitespace="TRUE" 
    i-maximum-length="1" s-validation-constraint="Not equal to" s-validation-value=" " -->
<input type="text" id="SpamTrap" name="SpamTrap" size="5" style="display: none; border: 0;" readonly>
<!-- END: FrontPage Spambot code end -->

Additional steps to protect forms

• Use FrontPage features to validate fields
  
  

  *You can add validation by selecting each field(right-click on the field) in turn and select Field Properties.

Examples(all of these can be done in FrontPage):

- Only allow letters to be entered in fields that should only be letters, such as a persons name.
- Only allow numbers, parenthesis and a dash to be entered in phone number fields
(unless you accomodate internation numbers).
- Only allow numbers and forward slashes (/) in a date field.
- Restrict the length of a phone number field to 14 (unless you accomodate internation numbers).
e.g. (208) 111-2222
- Restrict the length of any field, such as a full name field might be restricted to 50 characters.


• If you do restrict fields, make sure you provide an example of the format you expect from the visitor filling out the form. To do this put a text label underneath or next to the input field with text that displays the format you want.

Allowing visitors to enter any type of character and any length of text into a form field presents opportunities to misuse your form. The more strict you are about the type of information that can be entered into form fields, the greater your chance of preventing misuse of your form.

Site maintained by Skip Knox — sknox@boisestate.edu