Re: (spam)secure mailform
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.php archive

Re: (spam)secure mailform

From: Bob Smith <bobsmith1@marketweighton.com>
Date: Sat Jul 16 2005 - 11:58:39 CEST



Jerry Stuckle wrote:



> Robertico wrote:


>> I'am intersted in a solution to create a "spam" secure mailform.


>> I read about domain checks but they use the $HTTP_REFERER and imo thats


>> not 100%.


>> As the manual mentioned :"The address of the page (if any) which referred


>> the user agent to the current page.


>> This is set by the user agent. Not all user agents will set this, and


>> some provide the ability to modify HTTP_REFERER as a feature.


>> In short, it cannot really be trusted."


>> Also read something about sessions. But whats the best (secure as


>> possible) way to prevent using the mail form outside my domain.


>> 


>> Robertico


>> 


>> 


> 


> Don't use hidden fields to contain the address.  Rather, use a select box


> to put some key value in the form and use a separate configuration file or


> database.


> 


> For instance, you might have:


> 


> <select name="destination">


>    <option value="webmaster">Webaster</option>


>    <option value="custsvc">Customer Service</option>


>    <option value="sales">Sales</option>


> </select>


> 


> Once you've validated the input, look up the selected value in your


> database or config file and send the mail.


> 


> As a seconday bonus you don't have email addresses in the web form for the


> spam


> 'bots to find.  Anyone will be able to use your form no matter where they


> came from - but they won't be able to send to anyone except those *you*


> define.


> 


> Also - you can build the options dynamically depending on what's in the


> database


> or config file.  Makes it much easier.


> 


Well, that is not 100%...for example a script can easily send the


destination=whatever simply in a get command with telnet or custom script


that connects to port and host and gets/posts the form. 


there are a couple of things you might want to do to make it harder for the


spammers:


1)set a cookie with timestamp + host + ip + browser ( etc...) and check teh


existence and validate the cookie upon script run


2)check the cookie of the one requesting the form in the first place and


save that in the cookie, if no cookie when the script submission is carried


out:or error arguments in it:spammer


Greger



-- 
http://www.kolumbus.fi/bob.smith


Received on Mon Oct 17 21:08:29 2005