Mike wrote on Sat, 27 Jan 2007 12:13:00 -0800:
I'm using a block of ASP to allow a user to send a form via e-mail.
However, someone keeps sending me spam through this form
and they're using a bogus return address. I'm testing for a
successful send, which should fail if the return address is
not valid, but I'm still getting the junk.
The block looks like this:
Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
Mailer.RemoteHost = "smtp.xxx.com"
Mailer.FromName = Request.QueryString ("Name")
Mailer.FromAddress = Request.QueryString ("Email")
Mailer.AddRecipient "Web Mail", "PC**@xxx.com"
Mailer.Subject = "P.C.T. E-mail"
Mailer.BodyText = UserString
if Mailer.SendMail then
Response.Write " - Sucessful - "
else
Response.Write " - Failed - "
Response.Write Mailer.Response
end if
Should this block be stopping bogus From addresses?
Or do I need to be doing something different?
That mailer component cannot verify if the from address is valid or not - to
do so would require it to connect to the destination server for that domain
and then determine if the address exists; either start a dummy SMTP
conversation sending to that address and looking for an error response, or
and use the verify command to ask if the address exists - although most
servers that support ESMTP should have the VRFY command disabled if they
have any sense, as it can be used to pull a list of valid addresses from a
server using a dictionary scan. What would happen if the server was down?
Would you want the message rejected? What if the message was legitimate, but
the person's ISP was having some mail server issues at the time?
There really is very little you can do to block someone spamming you this
way if they're persistent. You could look for specific strings in the
UserString variable and reject on that (such as web addresses, or certain
words). You could add a random number + check digit as hidden fields, and
have your code verify that they match before accepting the rest of the
data - this prevents direct use of the form from a script, but won't prevent
one that pulls the form HTML from the server prior to generating the
necessary POST data string to send back to ensure it's complete.
I've had problems with spam to a customer comment system on one of my own
sites in the past; luckily all comments require admin moderation before
being published to the site, so the spam never got displayed to the public -
I used a combination of variable inspection (rejecting all submissions that
had a URL in the title, which most of the spam ones did), and the random
number + check digit (which stopped the ones that didn't have a URL in the
title field, but were being posted from a script).
Dan