Offsite forms can be submitted to use your email templates as
Here's the header you'd have to include.
Referer: http://mywebsite.com/
Not too much to that, is there?
Not if they are able to figure it out, which someone determined enough would
probably eventually do. Fortunately my
On Friday 11 May 2007, K Simanonok wrote:
What would be a better way to solve this problem?
Asking them a simple math question seems to be working well at the moment.
--
Tom Chiverton
Helping to advantageously repurpose edge-of-your-seat metrics
on: http://thefalken.livejournal.com
At some stage this will be the only true solution:
http://zapatopi.net/afdb/
On 5/11/07, K Simanonok [EMAIL PROTECTED] wrote:
Offsite forms can be submitted to use your email templates as
Here's the header you'd have to include.
Referer: http://mywebsite.com/
Not too much to that, is
At some stage this will be the only true solution:
http://zapatopi.net/afdb/
Hah! Indeed it will
But until they make the model with the plastic-wrap inner-lining... there
are plenty of transparent methods to try. Quite a few people have solved
their spamming problem with a simple hidden
A while back someone was having a problem with using cfhttp to login to an ASP
site.
There was huge debate on why this was happening. I haven't re-read it but I bet
there are some extra methods in there for defeating offline form posts ( maybe
even spam bots?)
I think this was the post:
Many personal firewalls (e.g. Norton Internet Security) strip the
referer info, so this may send a nasty message to legit users.
Spoofing it is as easy as cfheader on CF and an equivalent in any
other platform and if I were spamming I'd assume that I needed to set
this to the online form location
.
-Original Message-
From: K Simanonok [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 10, 2007 1:28 AM
To: CF-Talk
Subject: Re: defeating offline form posts
At 03:10 AM 5/9/2007, Eric wrote:
Curious question here. If I think about this, if someone takes a form
of ours for login, for example
Offsite forms can be submitted to use your email templates as
Spam blasters or else to send Spam to you, and such
submittals can be automated so they'll do their dirty work
without any human intervention. I just recently had this
problem with some creep attacking a site of mine with a
On Wednesday 09 May 2007, Eric J. Hoffman wrote:
authenticate filewhat is the best way to detect this and defeat it?
Noone has ever gained access this way as of yet, but we are studying
possibilities, and this seems to me to be an attack vector.
What could they do by submitting the local
Eric J. Hoffman wrote:
Curious question here. If I think about this, if someone takes a form
of ours for login, for example, and makes a local copy on their
machineand they set the post action to be the live server
authenticate filewhat is the best way to detect this and defeat it?
transmission. If
verification is required please request a hard-copy version.
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
: defeating offline form posts
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the page before the current one - it should have your server
details
in there, other wise discard.
On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote:
Curious question here. If I think about
My thoughts exactly Jochem. What's the difference if they use their form or
your form if the action template is what matters?
-Original Message-
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 09, 2007 6:05 AM
To: CF-Talk
Subject: Re: defeating offline form posts
] wrote:
That's where I startedbut the thing is, I think they can spoof that
variable? Or not?
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look
On Wednesday 09 May 2007, Ken Wexel wrote:
seems like it would be a lot of work to create the session,
load the form, save the form locally, change the post path, spoof the
session, etc. just to post it from somewhere else once.
Depends on your threat profile.
It only takes a geek an hour or
]
Sent: Wednesday, May 09, 2007 5:05 AM
To: CF-Talk
Subject: Re: defeating offline form posts
Eric J. Hoffman wrote:
Curious question here. If I think about this, if someone takes a form
of ours for login, for example, and makes a local copy on their
machineand they set the post action
Curious question here. If I think about this, if someone
takes a form of ours for login, for example, and makes a local
copy on their machineand they set the post action to be the
live server authenticate filewhat is the best way to detect
this and defeat it? Noone has ever
True...it's all relatively relative I supposed :)
On 5/9/07, Tom Chiverton [EMAIL PROTECTED] wrote:
On Wednesday 09 May 2007, Ken Wexel wrote:
seems like it would be a lot of work to create the session,
load the form, save the form locally, change the post path, spoof the
session, etc.
-Talk
Subject: RE: defeating offline form posts
Well, an automated process where they create spam accounts into the system?
We could use CAPTCHA maybe, but a lot of users hate that. I was wondering
if there was a good practice to additionally nail them in advance of captcha
use, but maybe
At 03:10 AM 5/9/2007, Eric wrote:
Curious question here. If I think about this, if someone takes a form
of ours for login, for example, and makes a local copy on their
machineand they set the post action to be the live server
authenticate filewhat is the best way to detect this and
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the page before the current one - it should have your server details
in there, other wise discard.
On 5/9/07, Eric J. Hoffman [EMAIL PROTECTED] wrote:
Curious question here. If I think about this, if someone takes a form
Put the session ID in the form and then check to see if the session has
expired.
Jaime Metcher
-Original Message-
From: Eric J. Hoffman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 9 May 2007 12:44 PM
To: CF-Talk
Subject: defeating offline form posts
Curious question here. If I
.
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the page
a hard-copy version.
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look at the CGI variables
in particular
a hard-copy version.
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look at the CGI variables
in particular
that
variable? Or not?
-Original Message-
From: AJ Mercer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2007 9:53 PM
To: CF-Talk
Subject: Re: defeating offline form posts
Have a look at the CGI variables
in particular CGI.HTTP_REFERER
This is the page before
26 matches
Mail list logo