|
|
Posted by Larry on 03/30/06 01:33
In article <%StWf.274$Co.259@reader1.news.jippii.net>, "Kimmo Laine" <spam@outolempi.net> wrote:
>"Larry" <noway@none.com> wrote in message
>news:V0tWf.18925$%d.8259@tornado.socal.rr.com...
>> In article <YhqWf.216$5g7.95@reader1.news.jippii.net>, "Kimmo Laine"
>> <spam@outolempi.net> wrote:
>>>"Larry" <noway@none.com> wrote in message
snip
>>
>> Actually I am placing the value into a hidden form field that's then
>> emailed
>> via a formmail program.
>>
>> echo("<input type='hidden' name='my_email' value='$email'>");
>
>
>Please please please concider an alternative solution! Form mail scripts
>like that are very potential spam relays, especially the Formmail from Matts
>Script Archive is the most classic exploited script. Do yourself and
>everyone else a favor and study a bit how such solutions get exploited.
>Basicly spammers replace the value with another email address and send their
>own shit using your script.
>
>http://www.google.com/search?hl=en&q=formmail+spam+relay+exploit&btnG=Google+Se
>arch
>http://rickconner.net/spamweb/spam_formmail.html
>
Well it's not quite that bad, and yes I've heard all about Matts scripts! What
isn't obvious from the line of code above is that $email is NOT an email
address, it's a code, 1 of 4 in my case, that my Formmail script uses to
decide which of 4 emails to send the form to. Sending anything else other than
the 4 recognized codes just results in the FormMail terminating. Though I'm no
expert on the subject, my belief is that's a reasonable solution.
Larry L
Navigation:
[Reply to this message]
|