Spammers Begone

We recently enabled a small security enhancement to the Spiffy Stores software to prevent a security attack called Cross Site Request Forgery (CSRF).

Basically, now an encrypted token is generated and inserted into every form on the store web pages. This prevents a hacker from copying a form from the site and tricking you into executing the form from a fake site, thus giving the hacker access to your account.

Whilst it was extremely unlikely that this sort of attack would work because of the way in which the Spiffy Stores software is designed, it never hurts to improve security wherever possible.

However, it turns out to have an unintended bonus effect!

Spiffy Stores is one of the few ecommerce solutions that has a “Contact Us” form built into your store. This form is generated for you automatically and you don’t need to use a third-party online form service to get something as essential as a contact form.

Now that we have added the Cross Site Request Forgery code, we are seeing instances of spammers who have “copied” the contact forms from various sites and have built them into scripts to try to spam our store owners with fake contact form submissions. All of these attempts are now failing because they are all detected as forgeries, and this means that your inbox will contain less of the spam generated by these pests.