|
|
Posted by Jerry Stuckle on 07/17/05 18:26
Bob Smith wrote:
> Jerry Stuckle wrote:
>
>
>>Bob Smith wrote:
>>
>>>Jerry Stuckle wrote:
>>>
>>>
>>>
>>>Well, that is not 100%...for example a script can easily send the
>>>destination=whatever simply in a get command with telnet or custom script
>>>that connects to port and host and gets/posts the form.
>>
>>Nope. Because the destination is not taken from the form. Only a key to
>>a list of predefined destinations is in the script.
>>
>>For instance - they could say "destination=1" which might send to customer
>>service. But they could not say "destination=youvegotspam@example.com"
>>because that will not be found.
>>
>>
>>>there are a couple of things you might want to do to make it harder for
>>>the spammers:
>>>1)set a cookie with timestamp + host + ip + browser ( etc...) and check
>>>teh existence and validate the cookie upon script run
>>>2)check the cookie of the one requesting the form in the first place and
>>>save that in the cookie, if no cookie when the script submission is
>>>carried out:or error arguments in it:spammer
>>
>> > Greger
>>
>>Cookies can be falsified, and it doesn't take a lot of looking to figure
>>out
>>what you use in a cookie. Additionally, this method doesn't work if the
>>client has cookies turned off.
>
>
> I'd ideally put a cookie in a md5 thingy, to protect the data from being
> visual to the user, ...then it is more difficult to figure out what is
> actually in there. simply unpack and validate upon script run.
> Naturally, there is no way to make forms 100% secure...
>
>>Depending on cookies is NOT secure - and can be aggravating to valid
>>users.
>>
>>
Bob,
Wrong. The process I recommended is 100% secure and does not require cookies.
It's secure because the email address is not in the web page, cookie, session
information or any other place the client can access. There is NO WAY the
client can send email to other than a predetermined list of destinations because
the client has NO ACCESS to the actual email address - not to read, not to write.
And it doesn't require cookies.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|