Re: defeating offline form posts

Offsite forms can be submitted to use your email templates as Here's the header you'd have to include. Referer: http://mywebsite.com/ Not too much to that, is there? Not if they are able to figure it out, which someone determined enough would probably eventually do. Fortunately my

Re: defeating offline form posts

On Friday 11 May 2007, K Simanonok wrote: What would be a better way to solve this problem? Asking them a simple math question seems to be working well at the moment. -- Tom Chiverton Helping to advantageously repurpose edge-of-your-seat metrics on: http://thefalken.livejournal.com

Re: defeating offline form posts

At some stage this will be the only true solution: http://zapatopi.net/afdb/ On 5/11/07, K Simanonok [EMAIL PROTECTED] wrote: Offsite forms can be submitted to use your email templates as Here's the header you'd have to include. Referer: http://mywebsite.com/ Not too much to that, is

RE: defeating offline form posts

At some stage this will be the only true solution: http://zapatopi.net/afdb/ Hah! Indeed it will But until they make the model with the plastic-wrap inner-lining... there are plenty of transparent methods to try. Quite a few people have solved their spamming problem with a simple hidden

Re: defeating offline form posts

A while back someone was having a problem with using cfhttp to login to an ASP site. There was huge debate on why this was happening. I haven't re-read it but I bet there are some extra methods in there for defeating offline form posts ( maybe even spam bots?) I think this was the post:

Re: defeating offline form posts

Many personal firewalls (e.g. Norton Internet Security) strip the referer info, so this may send a nasty message to legit users. Spoofing it is as easy as cfheader on CF and an equivalent in any other platform and if I were spamming I'd assume that I needed to set this to the online form location

RE: defeating offline form posts

. -Original Message- From: K Simanonok [mailto:[EMAIL PROTECTED] Sent: Thursday, May 10, 2007 1:28 AM To: CF-Talk Subject: Re: defeating offline form posts At 03:10 AM 5/9/2007, Eric wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example

RE: defeating offline form posts

Offsite forms can be submitted to use your email templates as Spam blasters or else to send Spam to you, and such submittals can be automated so they'll do their dirty work without any human intervention. I just recently had this problem with some creep attacking a site of mine with a

Re: defeating offline form posts

On Wednesday 09 May 2007, Eric J. Hoffman wrote: authenticate filewhat is the best way to detect this and defeat it? Noone has ever gained access this way as of yet, but we are studying possibilities, and this seems to me to be an attack vector. What could they do by submitting the local

Re: defeating offline form posts

Eric J. Hoffman wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it?

Re: defeating offline form posts

transmission. If verification is required please request a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts

Re: defeating offline form posts

: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about

RE: defeating offline form posts

My thoughts exactly Jochem. What's the difference if they use their form or your form if the action template is what matters? -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 6:05 AM To: CF-Talk Subject: Re: defeating offline form posts

Re: defeating offline form posts

] wrote: That's where I startedbut the thing is, I think they can spoof that variable? Or not? -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look

Re: defeating offline form posts

On Wednesday 09 May 2007, Ken Wexel wrote: seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc. just to post it from somewhere else once. Depends on your threat profile. It only takes a geek an hour or

RE: defeating offline form posts

] Sent: Wednesday, May 09, 2007 5:05 AM To: CF-Talk Subject: Re: defeating offline form posts Eric J. Hoffman wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action

RE: defeating offline form posts

Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and defeat it? Noone has ever

Re: defeating offline form posts

True...it's all relatively relative I supposed :) On 5/9/07, Tom Chiverton [EMAIL PROTECTED] wrote: On Wednesday 09 May 2007, Ken Wexel wrote: seems like it would be a lot of work to create the session, load the form, save the form locally, change the post path, spoof the session, etc.

RE: defeating offline form posts

-Talk Subject: RE: defeating offline form posts Well, an automated process where they create spam accounts into the system? We could use CAPTCHA maybe, but a lot of users hate that. I was wondering if there was a good practice to additionally nail them in advance of captcha use, but maybe

Re: defeating offline form posts

At 03:10 AM 5/9/2007, Eric wrote: Curious question here. If I think about this, if someone takes a form of ours for login, for example, and makes a local copy on their machineand they set the post action to be the live server authenticate filewhat is the best way to detect this and

Re: defeating offline form posts

Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before the current one - it should have your server details in there, other wise discard. On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote: Curious question here. If I think about this, if someone takes a form

RE: defeating offline form posts

Put the session ID in the form and then check to see if the session has expired. Jaime Metcher -Original Message- From: Eric J. Hoffman [mailto:[EMAIL PROTECTED] Sent: Wednesday, 9 May 2007 12:44 PM To: CF-Talk Subject: defeating offline form posts Curious question here. If I

RE: defeating offline form posts

. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page

RE: defeating offline form posts

a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular

Re: defeating offline form posts

a hard-copy version. -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular

Re: defeating offline form posts

that variable? Or not? -Original Message- From: AJ Mercer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 9:53 PM To: CF-Talk Subject: Re: defeating offline form posts Have a look at the CGI variables in particular CGI.HTTP_REFERER This is the page before