"Cpt. Zeep" <ze**@nemame.com> wrote in news:bt**********@bagan.srce.hr:
I'm writing small script for sending mail from my web pages. I have
heard about security hole in FormMail.pl script which can be used by
spammers. I would like to prevent that in my script. Can you give me
some suggestions regarding that.
You need to make sure that the script can send mail *only* to specific
addresses which are defined either in the script or in a database/file
which is *not* writeable by the outside world. The problem with the
original FormMail.pl script was that it took the destination address from a
form field (not a problem in itself) and then would *blindly* (the problem)
send mail to it. Thus spammers would simply write scripts that would
submit their own spam via the form, specifying a different address from
their list each time, and the spam would actually be mailed through your
system.
Thus if the form HTML itself contains the actual address to send to as a
hidden field, your script *must* check to see that the address it's getting
from that field is on the list of "OK to send to" addresses. Or you might
make the hidden field specify a code, which your script would translate to
determine the destination address (this makes it harder for spammers to
harvest your address from the forms).
It would also be a good idea for the script to set a limit on the amount of
data it will mail per invocation, in order to prevent its being used for
DOS attacks on you. This limitation *cannot* be enforced by anything
client side (since an attacker won't be using your client-side form and any
scripting in it); it *must* be enforced by the form handler itself.