Re: static ip to dhcp conversion -- getting a hostname
Marty Landman <MLandman@face2interface.com> writes:
> Alan, I'm working on a rewrite now and am concerned with properly
> doing things. Could you please advise on how to best prevent this type
> of exploit, given that a check of referer against a hard-coded
> hostname is not so good?
You'll have to stop getting the email address from the form. Sure,
it makes it easier. Unfortunately, it makes it easier for spammers,
too.
A few ideas:
* Hardcode the destination address in the script
* Hardcode multiple addresses in the script, and have a token in the
form specify which address to mail to. For example, if the form
says address=FOO, you look it up $addresses[FOO] to get
"support@wherever".
* Just discontinue the script, and have people use formmail. That
way, the security burden is on someone else (admittedly, someone
who's proven themselves incapable of fixing security problems).
Sure, all of these make it harder to use, but the only way to stop
spammers is to restrict the addresses they send to.
--
Alan Shutko <ats@acm.org> - I am the rocks.
<BOOM><BOOM><BOOM><BOOM> Nitroglycerin on keys
Reply to: