Re: Email Forms - Blocking Spammers

From: Gordon Burditt (gordonb.7tqgp_at_burditt.org)
Date: 10/20/04


Date: 20 Oct 2004 02:08:58 GMT


>As far as I know, spammer's aren't scouring the web for feedback /
>contact-us forms.

Spammers seem to find insecure versions of programs like "formmail"
with frustrating rapidity.

>I moved to a "email form" and haven't gotten any
>spam from it. Likewise, I moved my employer's email to a "form" and
>they haven't gotten any spam either.

The threat here is using your web server to spam the world,
incidentally getting mail from the web server blocked by a lot of
ISPs. They don't usually spam the webmaster as that would give
away the security hole.

One of the most important things about your form is: DON'T allow
input from the browser to specify a destination address. DON'T put
the To: address in a hidden field on the form. DON'T put the To:
address in a cookie. Preferably, hard-code it as a fixed string
that points at one of YOUR mailboxes.

Also: DON'T allow input from the browser to specify a From: address.
(It's better to make that a fixed string, also.) DON'T allow input
from the browser to do anything to the headers or body that might
cause a bounceback to the From: address (e.g. attach a virus,
excessive length, cusswords, etc.)

DON'T mail something back to an email address entered on a form.

You can relax some of these rules if using the form requires a login
and a password that can't be obtained just by filling in another
form (e.g. it waits a few days for the credit card payment to clear
before permitting use).

                                                Gordon L. Burditt



Relevant Pages

  • Re: iWeb3
    ... The expression "the CSS doesn't scale" is not the clearest of ... of the browser window in this example. ... If a DIV is 'floated', and the author does not specify a width, the ...
    (comp.sys.mac.apps)
  • Re: Cowboys herding cats
    ... ask for special consideration for your deliberate backwardness. ... that's not a function of my newsreader. ... I've been fighting spam for over a quarter century. ... browser, and that it's a trivial effort to get our of your newsreader, ...
    (rec.arts.sf.fandom)
  • Re: Reset form control style
    ... I've run across a problem styling form controls, ... "normal" with the background, border or color attributes, and I've no idea how one specifies "just use the browser default" for such properties either. ... The rules in the application's base stylesheet specify the following for styling buttons: ...
    (comp.infosystems.www.authoring.stylesheets)
  • Re: Browserbreaker - A Jason Pawloski Original
    ... It won't take long, just watch and see, for him to spam the servers ... But from my browser error messages from an exception throw... ... Here's one for you to tinker with: use a Foreigner classic (Jukebox ... What about the song that goes ...
    (misc.transport.road)
  • Re: Default browser in Fedora Core 1
    ... If you're using either Knode or Pan, you need to specify the default ... browser in the newsclient settings. ... doesn't want to have to edit Gnome config files to change Pan's behaviour ... the setting Preferences -> Preferred Applications will affect only Gnome ...
    (alt.os.linux.redhat)