[Mimedefang] OT: Email web form exploits
David F. Skoll
dfs at roaringpenguin.com
Wed Sep 7 09:47:30 EDT 2005
Chris Gauch wrote:
> City: jeeukfllf at somedomain.com
> Fax: jeeukfllf at somedomain.com
... etc ...
> So, the question is how can we really stop someone from using an
> HTML form (and the NUMBER verification technique is not an
> acceptable solution for our clients)?
You can't stop someone from using the form, but you can modify the
script so it doesn't send out e-mail if the "city" or "fax" fields
contain an "@" sign. That should stop most of the abuse with very
few false-positives. If someone does put an @ sign in those fields,
a helpful error message and invitation to fill out the form again
will probably take care of any problems.
Another option is a CAPTCHA of some kind, but those are irritating and
a pain to code up securely.
Ironic, isn't it? We'll probably have to filter OUT things that "look like"
e-mail addresses in non-email fields.
Regards,
David.
More information about the MIMEDefang
mailing list