|
|
Posted by Gordon Burditt on 04/21/07 17:11
>I have a feedback form on my site. People can fill the fields and
>message is sent to me using 'mail' function, after the form gets
>submitted (POST).
>
>The fields are subject, from and text. 'subject' is optional, others
>are mandatory. PHP script that handles the form input takes in account
>predefined field names only.
Be absolutely sure that any value you put in mail headers cannot
contain carriage return or newline characters input by the user.
That usually means anywhere except the body of the message, and
you specifically DON'T want them in subject or from. If the
relevant fields contain such characters, DON'T SEND THE MAIL.
Also, you don't want the form to specify anything in the To: Cc: or
Bcc: headers. That hidden field in the form for the To: address is
easy to change.
>The problem is that someone is sending me spam using that form. I
Are they only sending it to YOU? And not to the entire user community
of AOL at the same time?
>don't believe that they target me specificaly. It is more likely that
>some automated robot is doing that. I tried to change field names, but
>still getting the messages. I checked the message source, and they are
>comming from the form.
>My question is how they can guess the field names and determine which
>mean what by automated process ?
Parsing field names is easy. Browsers do it.
>I guess they can parse html form to
>get names, but how they can put values in proper fields ?
They can guess, or they can go by order, or they can look at the text
label near the input box.
>Are they
>using trial and error ? I should get messages with text in subject
>field, too, then, but I don't.
>It is a possible that someone is sending messages by hand, but who
>could be such idiot ?
How about spammers who advertise some obscure product and don't give
you an email address, phone number, web site, or postal address for
where to buy it?
Navigation:
[Reply to this message]
|