Posted by Bob Smith on 07/17/05 21:08

Jerry Stuckle wrote:

> Bob Smith wrote:
>> Jerry Stuckle wrote:
>>
>>
>>>Bob Smith wrote:
>>>
>>>>Jerry Stuckle wrote:
>>>>
>>>>
>>>>
>>>>Well, that is not 100%...for example a script can easily send the
>>>>destination=whatever simply in a get command with telnet or custom
>>>>script that connects to port and host and gets/posts the form.
>>>
>>>Nope. Because the destination is not taken from the form. Only a key to
>>>a list of predefined destinations is in the script.
>>>
>>>For instance - they could say "destination=1" which might send to
>>>customer
>>>service. But they could not say "destination=youvegotspam@example.com"
>>>because that will not be found.
>>>
>>>
>>>>there are a couple of things you might want to do to make it harder for
>>>>the spammers:
>>>>1)set a cookie with timestamp + host + ip + browser ( etc...) and check
>>>>teh existence and validate the cookie upon script run
>>>>2)check the cookie of the one requesting the form in the first place and
>>>>save that in the cookie, if no cookie when the script submission is
>>>>carried out:or error arguments in it:spammer
>>>
>>> > Greger
>>>
>>>Cookies can be falsified, and it doesn't take a lot of looking to figure
>>>out
>>>what you use in a cookie. Additionally, this method doesn't work if the
>>>client has cookies turned off.
>>
>>
>> I'd ideally put a cookie in a md5 thingy, to protect the data from being
>> visual to the user, ...then it is more difficult to figure out what is
>> actually in there. simply unpack and validate upon script run.
>> Naturally, there is no way to make forms 100% secure...
>>
>>>Depending on cookies is NOT secure - and can be aggravating to valid
>>>users.
>>>
>>>
>
> Bob,
>
> Wrong. The process I recommended is 100% secure and does not require
> cookies.

The day I die....

>
> It's secure because the email address is not in the web page, cookie,
> session
> information or any other place the client can access. There is NO WAY the
> client can send email to other than a predetermined list of destinations
> because the client has NO ACCESS to the actual email address - not to
> read, not to write.
>
> And it doesn't require cookies.
>
hmmm, what if someone gets access to the form and spams the 1,2,3, (,
whatever ) in there?? Am I missing something obvious in this debate? ( I'd
never do it like that, anyways...)

G
--
http://www.kolumbus.fi/bob.smith

• Next in forum: Re: Help with image display
• Prev in forum: Re: Newbie - how best to create a password-protected page
• Thread view: Re: (spam)secure mailform

[Reply to this message]