How Your Unsecure Webform Could Impact Email Performance

A webform is an area on a website where users can submit information, and either they or others receive an email reply from the company who owns that website. Common webforms include:

  • Forward-to-a-friend
  • Surveys
  • Order & payment forms
  • Invitations & RSVP’s
  • Registration and contact forms

Between January and April 2017, 64 percent of detected compromises among Return Path Certified clients resulted from webform abuse. Spammers entered content and links into the webform’s custom text box then sent those spam messages to numerous email addresses.

If you have received a malicious email that was generated via a webform, it can be tricky to determine its legitimacy. First of all, this mail comes from the company’s infrastructure so the originating IP address will belong to the company. Also, spammers can be very crafty and include subject lines that are similar or even identical to what a company would use. However, major red flags include suspicious URLs/URL shorteners, along with content that is not associated with the company and includes structural and grammatical errors.

How does webform abuse impact email reputation and deliverability?
Return Path’s Certification team routinely witnesses how webform compromises affect senders’ performance and overall deliverability. For starters, webform spammers often send to random email addresses they purchase or harvest online. The random nature of their email acquisition – coupled with the spam webform message coming from your IP – increases the chances of your IP address hitting spam traps.

Complaint rates and blacklisting can also impact your reputation and deliverability. If a webform spam message is delivered to a legitimate email address, it’s likely the recipient will complain. This increases your complaint rate at mailbox providers and hurts your reputation. It is also probable that your IP will be placed on industry blacklists, which mailbox providers use to determine reputation and set filtering rules.

How does Certification detect webform abuse and remediate the issue?
Return Path’s Compliance team is here to help. We immediately contact our clients once we detect a webform compromise. Like I have explained in my previous blog post on Certification Security, we work alongside the client to minimize impact and reduce performance recovery time and associated costs. We analyze spam messages, identify the compromise/cause and develop an action plan to remediate abuse.

Naturally, our recommendations to fix webform compromises vary by case. However, below are some basic precautions you can take to secure your webforms:

  • CAPTCHA and reCAPTCHA: Require users to prove they are human before submitting a webform, thereby preventing bots from abusing the form.
  • Outbound filtering: Block abusive traffic by scanning or filtering outbound email traffic as it exits a network.
  • IP filtering: Check your monitoring tools to see if the majority of the abuse is coming from certain IPs and block them.
  • Message & Recipient limits: Limit the number of messages a user can send or restrict the number of email addresses a user can message.
  • URL restrictions: Either remove the ability to include URLs within messages or review emails with an URL that isn’t secure (HTTPS). Have a policy in place that would flag shortened URLs, that are used to redirect to the original web pages.
  • New account verification: Verify content being sent by free or new accounts (for example less than 12 hours old) trying to send the maximum or close to the maximum number of emails (200).

Remember, any unsecured webform is vulnerable to spammers. However, Return Path’s Certification customers see reduced impact to their programs because our Compliance team monitors and resolves issues much faster than senders who are not certified.

For more information about the Return Path Certification program, please visit the Certification page on our website.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time