|
|
Posted by Malcolm Dew-Jones on 11/15/01 11:26
cmcnaught (cmcnaught@gmail.com) wrote:
: Thanks Gordon,
: Good input.
: This form input is not used for the database at present, in other areas
: I use mysql_escape_string() or similar.
: I think HTTP_REFERER can easily be spoofed
: I am the reipient of the spam, the 'to' address is hidden, no problem
: for anyone else, its the return address which is being randomized with
: my domain name and posted into the form processor.
: I want to avoid login for this application, I have several other sites
: well protected with a encrypted password/session/cookie method.
: I'm now thinking of a hidden variable which is filled in on the
: onSubmit path from a javascript constant. That should make it a bit
: harder to figure out with a script. Maybe concatenated from several
: constants.
: What do you think?
: cj
You say you're being spammed, but if all the mail goes to you, what are
they trying to accomplish? (Serious question.)
Do they think they are spamming other people? Perhaps they are setting a
TO address (which you don't use) in the mistaken believe that they are
sending spam to those people. I ask because in that case you could check
for a bogus TO address even though you don't use it - simply to check when
the form is being targetted. I would check exactly what parameters they
are sending to you.
--
This programmer available for rent.
Navigation:
[Reply to this message]
|