Re: Email Forms - Blocking Spammers

From: Gordon Burditt (gordonb.7tqgp_at_burditt.org)
Date: 10/20/04

• Next message: Frank Conte: "Is php.ini in the right folder?"
• Previous message: Gordon Burditt: "Re: how does the apache server and php interpreter handles request?"
• In reply to: Brad Kent: "Re: Email Forms - Blocking Spammers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 20 Oct 2004 02:08:58 GMT

>As far as I know, spammer's aren't scouring the web for feedback /
>contact-us forms.

Spammers seem to find insecure versions of programs like "formmail"
with frustrating rapidity.

>I moved to a "email form" and haven't gotten any
>spam from it. Likewise, I moved my employer's email to a "form" and
>they haven't gotten any spam either.

The threat here is using your web server to spam the world,
incidentally getting mail from the web server blocked by a lot of
ISPs. They don't usually spam the webmaster as that would give
away the security hole.

One of the most important things about your form is: DON'T allow
input from the browser to specify a destination address. DON'T put
the To: address in a hidden field on the form. DON'T put the To:
address in a cookie. Preferably, hard-code it as a fixed string
that points at one of YOUR mailboxes.

Also: DON'T allow input from the browser to specify a From: address.
(It's better to make that a fixed string, also.) DON'T allow input
from the browser to do anything to the headers or body that might
cause a bounceback to the From: address (e.g. attach a virus,
excessive length, cusswords, etc.)

DON'T mail something back to an email address entered on a form.

You can relax some of these rules if using the form requires a login
and a password that can't be obtained just by filling in another
form (e.g. it waits a few days for the credit card payment to clear
before permitting use).

                                                Gordon L. Burditt

• Next message: Frank Conte: "Is php.ini in the right folder?"
• Previous message: Gordon Burditt: "Re: how does the apache server and php interpreter handles request?"
• In reply to: Brad Kent: "Re: Email Forms - Blocking Spammers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Reset form control style ... I've run across a problem styling form controls, ... "normal" with the background, border or color attributes, and I've no idea how one specifies "just use the browser default" for such properties either. ... The rules in the application's base stylesheet specify the following for styling buttons: ... (comp.infosystems.www.authoring.stylesheets) Re: Default browser in Fedora Core 1 ... If you're using either Knode or Pan, you need to specify the default ... browser in the newsclient settings. ... doesn't want to have to edit Gnome config files to change Pan's behaviour ... the setting Preferences -> Preferred Applications will affect only Gnome ... (alt.os.linux.redhat) Re: OBJECT: size rendering ... If you analyze the finer detail of the CSS spec, ... Without a specified width and height a browser may collapse width ... and height of the viewport established by the object element to 0, ... Ergo when embedding HTML you should always specify a width and height ... (alt.html) Re: About font sizes ... Let's assume for a moment a browser has all defaults, no user settings, no overrides. ... If I specify 14px, then the browser will render 14px. ... The only thing that's appropriate is a font size the browser can display. ... proposals seriously, and you wouldn't have to face the problem of ... (comp.infosystems.www.authoring.stylesheets) Re: Help! Inbox being inundated ... In Hotmail, access the account in the browser, and use the "Options" ... There should be a link to "Spam", ... I do set the "Move to Inbox" option. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint