If you are providing a means for unknown persons to send email through your servers to addresses outside of your organization without some comprehensive and reliable means of authorizing the sender, then no advice we can provide here will solve your problem, as it is your business process which is broken, not your technology.
I would **STRONGLY** recommend that you rethink what you are trying to accomplish. I can imagine no reason whatsoever why you would wish to provide the service as described above. /rr -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 01, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: Re: How do you stop Third-Party Mail Relay? The form I have is a request form that could come from anyone, anywhere. So I cannot limited the form to certain recipients or to certain IP addresses. Here are some thoughts I had: 1. check for multiple email addresses in the email line. I don't think this would work because the hacker probably wouldn't type in individual email address, but they would come from a list. 2. write the input to a flat file or mySQL db file so that the results can be viewed in an online report, then the email address can be clicked on and responded to manually or the name and address can be taken down and information mailed. This would have to be a password protected page, done in a script. Any thoughts on these ideas or other ideas?? Alisa On Mon, 1 Apr 2002 11:40:21 +0200, [EMAIL PROTECTED] (Thomas B�tzler) wrote : > "Art & Alisa Davis" <[EMAIL PROTECTED]> asked: > > What ways have you guys come up with to stop "Third-Party Mail Relay". I > > posted about a week ago about my script getting hacked. Since then I've > > asked a lot of questions an learned a lot about third-party mail relay > > security holes. For everyone who has a form on a web page where they > would > > like to have the results emailed or reported back to them in some way, > what > > are the ways to make your scripts as secure as possible. > > Make the mail recipient fixed - if it can't be changed via a CGI > parameter, then it can't be abused. If you have a number of potential > recipients, store their names in a hash, then see if the recipient > parameter that is submitted via the script is included in that hash. > > If you have lots of recipients but from a fixed number of domains, > you should check the incoming recipient names to see wether they > are in one of those domains. Make sure that the username part of the > address only contains valid charcters: [a-zA-Z0-9._-+] (ottoh). > > HTH, > -- > Home Page: http://baetzler.de/ - Humor Archive http://baetzler.de/humor/ > > > > > _______________________________________________ ActivePerl mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs _______________________________________________ ActivePerl mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
