The form I have is a request form that could come from anyone, anywhere. So I cannot limited the form to certain recipients or to certain IP addresses.
Here are some thoughts I had: 1. check for multiple email addresses in the email line. I don't think this would work because the hacker probably wouldn't type in individual email address, but they would come from a list. 2. write the input to a flat file or mySQL db file so that the results can be viewed in an online report, then the email address can be clicked on and responded to manually or the name and address can be taken down and information mailed. This would have to be a password protected page, done in a script. Any thoughts on these ideas or other ideas?? Alisa On Mon, 1 Apr 2002 11:40:21 +0200, [EMAIL PROTECTED] (Thomas B�tzler) wrote : > "Art & Alisa Davis" <[EMAIL PROTECTED]> asked: > > What ways have you guys come up with to stop "Third-Party Mail Relay". I > > posted about a week ago about my script getting hacked. Since then I've > > asked a lot of questions an learned a lot about third-party mail relay > > security holes. For everyone who has a form on a web page where they > would > > like to have the results emailed or reported back to them in some way, > what > > are the ways to make your scripts as secure as possible. > > Make the mail recipient fixed - if it can't be changed via a CGI > parameter, then it can't be abused. If you have a number of potential > recipients, store their names in a hash, then see if the recipient > parameter that is submitted via the script is included in that hash. > > If you have lots of recipients but from a fixed number of domains, > you should check the incoming recipient names to see wether they > are in one of those domains. Make sure that the username part of the > address only contains valid charcters: [a-zA-Z0-9._-+] (ottoh). > > HTH, > -- > Home Page: http://baetzler.de/ - Humor Archive http://baetzler.de/humor/ > > > > > _______________________________________________ ActivePerl mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
