[Mimedefang] OT: Email web form exploits
James Ebright
jebright at esisnet.com
Thu Sep 8 20:16:05 EDT 2005
Check the URI referrer and only allow the web form to be hit FROM the URLS
that it should be linked to otherwise simply return an error similar to
unauthorized access attempt....
This prevents these types of script interaction with a webform quite
effectively typically as it outright prevents direct interaction and would
force the spammer to hit a valid URI to get the link to the webform which
would not be impossible, but it woudl be annoying to them.. somewhat akin to
the small response delay you can add to sendmail 8.13.
Jim
On Wed, 7 Sep 2005 11:09:12 -0400, Chris Gauch wrote
> > WBrown at e1b.org wrote:
> >
> > > Isn't that called input validation and something that should be done
> > > anyways?
> >
> > True. But some input validation is a bit aggressive. How many broken
> > Web forms out there don't permit "+" in an e-mail address? And my
> > colleague, Dave O'Neill, can tell lots of horror stories about how his
> > name is mangled by aggressive-but-incorrect SQL-injection
> > countermeasures. :-(
> >
> > Regards,
> >
> > David.
>
> It's not only that, try going through several dozen client-developed
> web forms and adding form validation to ALL of them. Additionally,
> who's to say that the "kiddie script-writer" will continue to use
> email addresses in all the form fields (what if they just fill all
> the fields with "sksdljsdfljsl" and send them repeatedly)? Even if
> their intentions aren't being met, they are certainly causing
> headaches, getting clients angry with their ISP/hosting company --
> just a nuisance and waste of time I guess.
>
> - Chris
>
> ------------------------------------------
> Chris Gauch
> Systems Administrator
> Digicon Communications, Inc.
> http://www.digiconcommunications.com
> cgauch at digicon.net
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
EsisNet.com Webmail Client
More information about the MIMEDefang
mailing list