At 3:23 PM -0800 3/28/02, Tod Fitch wrote: >At 02:56 PM 3/28/2002, Bill Cole wrote: >>At 5:15 PM -0500 3/28/02, Stefan Jeglinski imposed structure on a >>stream of electrons, yielding: >>>>A day does not pass when I don't get spam that has come through >>>>an unsecured formmail. > > >But I could not figure out how to make a general purpose form mail >cgi that would be secure.
For the most part, emailing from a form involves sending to people who are already known (site admin, sales dept, etc.) so recipients can be hard coded. It's that "general purpose" part that makes one vulnerable. If my clients want to use formmail.pl, I insist that they rename it at a minimum. If they don't, if spammers can still find '...action="formmail.pl"...' on a site you host, they'll pound on your server, calling formmail.pl repeatedly, even if it's a later "secure" version, not knowing that their mail is not getting out. Of course, I try to steer clients away from formmail too. I prefer NetCloak for my forms handling and I direct clients to the instructions at Maxum.com so they can see how easy it is to send email using NetCloak. Partly, I suppose, this is security through obscurity in that NetCloak has heretofore been a Mac thing. Of course, if all you want to do is email forms, then NetCloak is more than you need, but it does way more than forms-to-email and you'll find all kinds of uses for it. ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
