Re: Spam resistent guestbook ?

[Craig Sanders <cas@taz.net.au>]

On Wed, Sep 27, 2006 at 11:35:06AM -0700, Robert L Mathews wrote:
> We provide a trivially modified version of FormMail.pl
> to our customers that works on such a scheme
> (<http://support.tigertech.net/formmail#prevent>), and it has 100%
> solved the problem of automated spambots sending mail to the form's
> owner.

formmail scripts are a different problem to guestbooks.

the best fix for formmail type scripts is to restrict the recipient
addresses permissible - either by hard-coding them into the form, or
(when it needs to be used by many different customers) by hacking the
script so that it will only send mail to:

1. addresses/domains listed in a particular text file

2. domains where the MX or NS record is hosted by you

3. domains where the web site is hosted by you (list of domains found by
reading in the main config file for my apache vhosting config generation
stuff).


points 2 & 3 cover >90% of all your customers' formmail needs
automatically, and point 1 is useful when they want to send to any
other address - e.g. a hotmail address or whatever.

i hacked a copy of the NMS formmail script(*) to do this years ago and
never had another spammer successfully abuse the script again.  The
Net::DNS perl module did all the work.



(*) btw, never use the Matt Wright FormMail script. in fact, ban all
Matt Wright scripts from your system, they are insecure crap. to secure
them is more work than writing your own from scratch. unfortunately,
they're popular scripts (especially FormMail.pl) so i always had
to spend an hour or so every week scanning log files and cgi-bin
directories for new copies of the scripts uploaded by customers - and
delete them or replace them with symlinks to my Formmail script.

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)