Joel,
Any script that allows a user to send an unlimited number of emails to arbitrary addresses could be misused. However, I expect the chances of this are much reduced if the user is not also able to include his/her/its own message. Without the ability to piggyback an advertisement on your email, there is little incentive to turn your script into a robot tool. Of course, it might still be possible to perform an injection attack by fiddling with the form parameters, but this would require a hole in the script logic.
There are a few tricks you could employ to fight robots if you also must allow user messages, but I can't think of any that are worthy of weighing down a small project:
1. "Enter the number you see in the image at right". It might be fun to try this with GD and/or ImageMagick. Fun. Hmmm....
2. IP address logging. This one fails miserably for the ISPs that promiscuously share their addresses. I think AOL does this. Perhaps you could dismiss the false positives as 'collateral damage'.
3. Force registration/login. This is over the top.
I've never heard of an 'email this page' script being used for spam. Most spams appear to be plain text and rather short in length (tee hee), and perhaps this is an indication that spammers value efficiency (while ignoring ours). Throw in a few images, make it a 20KB email, and maybe it's just too heavy for them. Anyway, while I'm offering anecdotal evidence I might as well admit that I've had an 'email this page' script running for a couple years, with arbitrary user messages allowed, and no anti-spam measures. (It does clean out embedded tags, though). The email is HTML mail, with images, and probably around 30KB to 40KB.
This may be taken as further evidence, along with my desire to make CGI::Carp 'fatalsToBrowser' a default-on feature, of my cavalier (or irresponsible) attitude toward security. Hey, at least I'm not logging credit information in plain text in a world-readable file under the document root.
:-O
Bogart
On Mar 15, 2005, at 10:33 PM, Joel Gwynn wrote:
Now on to my next question. I have a client who wants an "email this page" link on the web site. It seems to me that there must be security/spamming risks to this that I might miss, and thought if others had done this already, they might be able to warn me of some potential gotchas, and tricks to avoid them.
_______________________________________________ Boston-pm mailing list [email protected] http://mail.pm.org/mailman/listinfo/boston-pm
