are you really quite sure that it was the script that sent the spam? Or does your friend just have an open mail relay?
By the way, do you mean "Matt Wright" script? dwoz >From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: How do you stop Third-Party Mail Relay? >Date: 1 Apr 2002 18:18:23 -0000 > >I am really confused by this statement. I have designed a website for a >friend. She has a rental business. She would like to have a form where >visitor to her website can request to have a brochure sent to them or to >request prices for renting items. They supply their some or all of the >following information: name, address, phone #, email address, date of >event, and comments. My friend snail mails them a brochure and/or sends >them a price quote for the items/date requested via email. Why would this >be such a strange form? I see them all the time. They can't all have gaping >security holes. > >The email is supposed to only go to my friend. It is NOT supposed to go >anywhere else. However, the script was hacked in such a way as to send spam >email TO numerous (and I mean numerous) AOL customers FROM my friend's >email address. The refers were set properly, the To: email address was set >properly, but apparently this is an easy thing to circumvent. Though I used >the dreaded Matt Kruse formmail script, it was supposed to be the updated >one that was supposed to have the majority of the holes patched. > >Thanks, >Alisa > >On Mon, 1 Apr 2002 12:23:38 -0500, "Robert Raisch" <[EMAIL PROTECTED]> >wrote : > > > If you are providing a means for unknown persons to send email through >your > > servers to addresses outside of your organization without some >comprehensive > > and reliable means of authorizing the sender, then no advice we can >provide > > here will solve your problem, as it is your business process which is > > broken, not your technology. > > > > I would **STRONGLY** recommend that you rethink what you are trying to > > accomplish. > > > > I can imagine no reason whatsoever why you would wish to provide the >service > > as described above. > > > > /rr > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Monday, April 01, 2002 11:31 AM > > To: [EMAIL PROTECTED] > > Subject: Re: How do you stop Third-Party Mail Relay? > > > > > > The form I have is a request form that could come from anyone, anywhere. >So > > I cannot limited the form to certain recipients or to certain IP >addresses. > > > > Here are some thoughts I had: > > > > 1. check for multiple email addresses in the email line. I don't think >this > > would work because the hacker probably wouldn't type in individual email > > address, but they would come from a list. > > > > 2. write the input to a flat file or mySQL db file so that the results >can > > be viewed in an online report, then the email address can be clicked on >and > > responded to manually or the name and address can be taken down and > > information mailed. This would have to be a password protected page, >done > > in a script. > > > > Any thoughts on these ideas or other ideas?? > > Alisa > > > > > > > > On Mon, 1 Apr 2002 11:40:21 +0200, [EMAIL PROTECTED] (Thomas > > B�tzler) wrote : > > > > > "Art & Alisa Davis" <[EMAIL PROTECTED]> asked: > > > > What ways have you guys come up with to stop "Third-Party Mail >Relay". I > > > > posted about a week ago about my script getting hacked. Since then >I've > > > > asked a lot of questions an learned a lot about third-party mail >relay > > > > security holes. For everyone who has a form on a web page where they > > > would > > > > like to have the results emailed or reported back to them in some >way, > > > what > > > > are the ways to make your scripts as secure as possible. > > > > > > Make the mail recipient fixed - if it can't be changed via a CGI > > > parameter, then it can't be abused. If you have a number of potential > > > recipients, store their names in a hash, then see if the recipient > > > parameter that is submitted via the script is included in that hash. > > > > > > If you have lots of recipients but from a fixed number of domains, > > > you should check the incoming recipient names to see wether they > > > are in one of those domains. Make sure that the username part of the > > > address only contains valid charcters: [a-zA-Z0-9._-+] (ottoh). > > > > > > HTH, > > > -- > > > Home Page: http://baetzler.de/ - Humor Archive >http://baetzler.de/humor/ > > > > > > > > > > > > > > > > > _______________________________________________ > > ActivePerl mailing list > > [EMAIL PROTECTED] > > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs > > > > _______________________________________________ > > ActivePerl mailing list > > [EMAIL PROTECTED] > > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs > > > > > > >_______________________________________________ >ActivePerl mailing list >[EMAIL PROTECTED] >To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ ActivePerl mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
