Re: Porno spam using form submissions
by Complex <complex_hwg(at)yahoo.com>
|
Date: |
Tue, 4 Dec 2001 10:25:21 -0800 (PST) |
To: |
HWG Techniques <hwg-techniques(at)hwg.org> |
In-Reply-To: |
jbarchuk |
|
todo: View
Thread,
Original
|
|
I've seen people point out the need to set the REFERER field to your
own address. However, I believe it's also important that you set the TO
field within your CGI!!
This might not be a problem with Matt's Formmail. It was a problem with
an old version of bnbform.cgi that we used to use. In that old script,
the TO address was stored in a hidden form field (!). This allowed you
to use the same CGI with different forms whose results were to get sent
to different people.
If a spammer wrote his own version of my page, but with a different TO
address in that field, he could submit the form and thus email the
results to whomever he liked. He'd also change the results to be his
spam instead of my form.
:-) I actually did this with my own form. I mis-used my own script to
send emails to myself and coworkers.
So double-check that your CGI specifies the TO, CC, and BCC fields,
without leaving those as attributes for the form. That way, even if the
spammer spoofs your IP address, they can't use your CGI to spam others,
ruining your good name (er, good IP).
(However, I suppose they can still use your CGI to spam *you*. Case of
Sara.)
hth,
complex
__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA