Posted by Jerry Stuckle on 01/24/08 04:28

Shelly wrote:
> On Jan 23, 11:07 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Shelly wrote:
>>> On Jan 23, 8:47 pm, Manuel Lemos <mle...@acm.org> wrote:
>>> The email is only sent to the site owner, so the spammer has no way of
>>> knowing what the email should look like. That tells me that they have
>>> to be going through the form. Yet the proper email has an echo of
>>> generated security code. The spam email has that field empty. So,
>>> that says he can't be going through the form.
>>> It seems to me that they must:
>>> 1 - Somehow diverting a legitimate email so that copy is sent to
>>> them.
>>> 2 - Using that email copy to create a template and modify the output
>>> so that junk is sent.
>>> I really don't know how they are doing it.
>> Or, you're not checking the security field before sending the email.
>
> Of **COURSE** I am. [I even tested it :-) --- and many times].
> Filling in all the fields and either leaving that one empty, or with
> the wrong info, prevents an email from being sent and the page is
> presented again so that the user can fill it in properly.
>
> Jerry, why in the world would I go throught the trouble of generating
> a security field if I weren't testing for its accuracy? That would be
> just plain stupid.
>
> Shelly
>

Shelly,

You said:

"The spam email has that field empty."

So you're obviously not checking it - at least not correctly. If you
were, then you would reject emails with the field empty.

But you never posted any code, so it's hard to tell.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]