Hello,
Most of the time, I lurk. Now I have a question. A reply to my questions or a referral to a more appropriate list would be appreciated.
At the request of our CEO, I set up a web form which is processed by a cgi script so that it logs to a file and then sends an autoresponse to the email address entered on the web form. Last night, someone downloaded my web form, modified it and used the modified version to POST, thereby spamming one person 3 times in quick succession. This got our domain placed on a spam list. One of our outgoing emails was bounced this morning.
I am running perl in taint mode, so all of the nasty characters entered on the web form were scrubbed out. Looking at our logs, I cannot see that our server was compromised. The person looking for an open relay did not find one. I have turned off the autoresponse feature of the cgi script.
Even with an autoresponder in place, it is possible to prevent bulk spammers from sending out large messages through a server. I can do this by using the cgi script to truncate all of the web form values to just enough characters to suit the purposes of the web form. However, someone can still send unwanted emails to anyone they list in the email address box on the web form.
I don't see how I can easily prevent unwanted emails being sent from a web form. There must be a way since I see so many web forms which send autoresponses. I have a vague sense that I could do a reverse DNS lookup on the IP address that is accessing the web page and then only autorespond if the browser access and the email address match. However, that would prevent someone from filling out a web form at home and asking for the response to be sent to a work email address.
As far as I can tell, anyone visiting a web page can fill in someone else's email address. I conclude that a web form autoresponder is always likely to get one's domain added to a spam list, eventually. Getting off a spam list is time consuming.
Any thoughts?
Thank you!
David Cogley
_______________________________________________ bblisa mailing list [EMAIL PROTECTED] http://www.bblisa.org/mailman/listinfo/bblisa
