I am really confused by this statement. I have designed a website for a friend. She has a rental business. She would like to have a form where visitor to her website can request to have a brochure sent to them or to request prices for renting items. They supply their some or all of the following information: name, address, phone #, email address, date of event, and comments. My friend snail mails them a brochure and/or sends them a price quote for the items/date requested via email. Why would this be such a strange form? I see them all the time. They can't all have gaping security holes.
The email is supposed to only go to my friend. It is NOT supposed to go anywhere else. However, the script was hacked in such a way as to send spam email TO numerous (and I mean numerous) AOL customers FROM my friend's email address. The refers were set properly, the To: email address was set properly, but apparently this is an easy thing to circumvent. Though I used the dreaded Matt Kruse formmail script, it was supposed to be the updated one that was supposed to have the majority of the holes patched. Thanks, Alisa On Mon, 1 Apr 2002 12:23:38 -0500, "Robert Raisch" <[EMAIL PROTECTED]> wrote : > If you are providing a means for unknown persons to send email through your > servers to addresses outside of your organization without some comprehensive > and reliable means of authorizing the sender, then no advice we can provide > here will solve your problem, as it is your business process which is > broken, not your technology. > > I would **STRONGLY** recommend that you rethink what you are trying to > accomplish. > > I can imagine no reason whatsoever why you would wish to provide the service > as described above. > > /rr > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, April 01, 2002 11:31 AM > To: [EMAIL PROTECTED] > Subject: Re: How do you stop Third-Party Mail Relay? > > > The form I have is a request form that could come from anyone, anywhere. So > I cannot limited the form to certain recipients or to certain IP addresses. > > Here are some thoughts I had: > > 1. check for multiple email addresses in the email line. I don't think this > would work because the hacker probably wouldn't type in individual email > address, but they would come from a list. > > 2. write the input to a flat file or mySQL db file so that the results can > be viewed in an online report, then the email address can be clicked on and > responded to manually or the name and address can be taken down and > information mailed. This would have to be a password protected page, done > in a script. > > Any thoughts on these ideas or other ideas?? > Alisa > > > > On Mon, 1 Apr 2002 11:40:21 +0200, [EMAIL PROTECTED] (Thomas > B�tzler) wrote : > > > "Art & Alisa Davis" <[EMAIL PROTECTED]> asked: > > > What ways have you guys come up with to stop "Third-Party Mail Relay". I > > > posted about a week ago about my script getting hacked. Since then I've > > > asked a lot of questions an learned a lot about third-party mail relay > > > security holes. For everyone who has a form on a web page where they > > would > > > like to have the results emailed or reported back to them in some way, > > what > > > are the ways to make your scripts as secure as possible. > > > > Make the mail recipient fixed - if it can't be changed via a CGI > > parameter, then it can't be abused. If you have a number of potential > > recipients, store their names in a hash, then see if the recipient > > parameter that is submitted via the script is included in that hash. > > > > If you have lots of recipients but from a fixed number of domains, > > you should check the incoming recipient names to see wether they > > are in one of those domains. Make sure that the username part of the > > address only contains valid charcters: [a-zA-Z0-9._-+] (ottoh). > > > > HTH, > > -- > > Home Page: http://baetzler.de/ - Humor Archive http://baetzler.de/humor/ > > > > > > > > > > > _______________________________________________ > ActivePerl mailing list > [EMAIL PROTECTED] > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs > > _______________________________________________ > ActivePerl mailing list > [EMAIL PROTECTED] > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs > > > _______________________________________________ ActivePerl mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
