http://nms-cgi.sourceforge.net/ has a bunch of such things, including a drop-in replacement for the once-popular Matt's FormMail that's designed to be less spam-friendly. It sounds like you don't want to just use one of those scripts, but reading the code/changelogs might give you ideas for other snafus to avoid.
One other thing I can think of tha tmight be useful is to have a one-time-use token in the form; generate a (pseudo)random token each time the form is served, expire the token as soon as it's used (or, if it's been more than, say, 5 minutes since it was generated). Won't stop the spamming, but they'll have to grab the page to get a token each time.. Of course, that might be bad, because you might find that a determined spammer doing that causes a lot of load... but the rate limiting you've talked about that should largely ameliorate that. On 16/03/07, Rev Simon Rumble <[EMAIL PROTECTED]> wrote:
Hi folks. A company I'm doing some work for has written a "tell a friend" type script on their site. At the moment it's appallingly badly written from an anti-spam perspective, so I'm making some recommendations for it. It's a must-have piece of functionality, so "just ditch it" isn't going to work. It takes the To, From, referring URL and the text of the message itself from the form that points to it. I'm sure you can work out why this might be a problem (which the client worked out when I gave them a spoof form). Here's what I've come up with. Have I missed anything? * Rate limiting by IP address * Rate limiting overall * Restrict it so it's only usable with a referrer of (their domain) * Have boilerplate text with a small amount that can be entered by the user Boilerplate text is _not_ defined in form variables. * Only allow links that are within (their domain) Anything else? -- Rev Simon Rumble <[EMAIL PROTECTED]> www.rumble.net "History teaches us that men and nations behave wisely once they have exhausted all other alternatives." - Abba Eban -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html