A few weeks ago, one of our clients websites was hacked.

Well, technically speaking, it wasn’t hacked. It’s more accurate to say one particular page was abused by an automated robot trying to find a mail form it could use to send spam. The interesting thing is we knew this type of attack could happen, we know it will probably happen again, and we’re okay with that.

Here’s the scoop.

Our client has a form on their website that has exactly four fields: first name, last name, phone number and email address. It’s a low-barrier, “Request More Info” form that sends the contents of the fields to a sales representative via email. The sales rep then contacts the person and a lead is born. Well, a spam robot picked up the form and used it to send several thousand emails to the sales representative, all with a URL for an exe file that would perform some nasty thing on their computer should they be foolish enough to run it.

Was it annoying? Yes. Did we fell violated? Somewhat. Was any real harm done? No.

Since the recipient of the email could not be altered, the robot was not able to distribute the emails to a wide audience. Also, since our client’s sales rep is not as dumb as a rock, he didn’t download and run the exe (allow me to suggest that one should never click on an unsolicited exe file or else one deserves what one gets).

Could we have stopped the bot? Yes, and we usually do. We use a very simple security technique that is invisible to users but will block the majority of robots. It is not infallible and it’s been compromised twice in the past couple of years. We could do more to block robots like add a CAPTCHA, but we choose not to. CAPTCHA’s, by the way are those awful squiggly text images where you have to type the words or letters you see. It stands for “Completely Absurd Pedantic Torture designed to Confuse, Humiliate and Annoy”*.

Our primary goal on these forms is to generate leads for our clients. There are plenty of studies and tests which demonstrate that for every field one adds to a form, conversion rates lower correspondingly. CAPTCHA may help keep out spammers but can also make it harder for users to complete the form. Casey Henry over at SEOmoz performed some tests and found that adding CAPTCHA may reduce your conversions by 3%. That 3% is not people who never found you. It’s people who found you and then decided that your website was so annoying that they just moved on.

We choose to go with lean security to improve the ease of use for our end users which leads to more conversions. Unless the robot is able to manipulate the recipient (imagine an “Email this link to a friend” form) we do not recommend that our clients put CAPTCHA’s on their forms. The inconvenience of having to occasionally delete spam is well worth the extra opportunities.

* Okay, it’s actually “Completely Automatic Public Test to tell Humans and Computers Apart” but my interpretation of the acronym is more descriptive. Though distasteful, the ideas behind it are really quite interesting. If you’d like to learn why humans are so good at something that computers are not, I recommend chapter 13 of Douglas Hofstadter’s Metamagical Themas. It’s a fun and thought provoking read, especially if you love typography.

Authors note: I briefly considered titling this post “A Practical Guide to Exposing Yourself on the Internet” but decided against it at the last moment.