How to secure a mailing script

[spyderco]

I am looking for your ideas on making a mailing script (for example a contact form) secure from exploits and spam usage without the use of SSL.

I have integrated the following into my scripts and so far I haven't had any problems but I feel there are other steps to take that I haven't thought of yet.

1) Referer checker (I know this isn't a GREAT way to do anything as it can be faked, but it's better than nothing and it's checked per domain)
2) All collected form fields that are used in the email are stripped out of email addresses. The email address field is broken by a comma, space or semicolon (any combination) and all extra addresses found are stripped. I know there are emails with commas in them but there aren't enough of those to worry about-- I've never come across one.
3) IP usage timer. When they send a message, they get logged into my MySQL database with a timestamp. Each time the script is initiated, it checks their IP address against the timestamp if it's found and will terminate the script if it's used more than once per 30 minutes. This helps ensure bots don't keep sending in data.

4) I have NOT done this but I was planning on setting up a script that pulls out A,B,C,D. Either one or more of them (but of course only one of each). Then the user has to check THAT/THOSE checkboxes. If the wrong ones are slected or the right ones not selected, the script will terminate.

Do you have any other ideas/suggestions on ways to prevent mailing scripts from being attacked?

 

[feherke]

Hi

Cool idea with that checkboxes !

There would be the usual tricks too :
[ul]
[li]show random characters on an image, which must be entered in a form field[/li]
[li]show a random number spelled in words, which must be entered in a form field with digits[/li]
[/ul]

Another possibility if you can restrict the area from which could come interesting visitors, to check the IP against an IP to country database. Efficient against asian spam. If you are not asian.

Feherke.

http://rootshell.be/~feherke/

 

[spyderco]

Hi.

Thanks for the suggestions. I have created a RIG (random image generator) with numbers before and it surely would work.. but I feel it's more of a nuissance for your customers to have to type them in all the time.

IP location blocking is a possibility that I haven't thought of. It's a little harsh to limit entire groups of people from the site though

Thanks for the ideas

 

[PaulTEG]

Have a select box to post the data to the script and use that to look up a hash to determine the email address.

Have all your actual email addresses to send to in the script, don't send it with the form

Just a thought


Spend an hour a week on CPAN, helps cure all known programming ailments ;-)

 

[ChrisHunt]

Checkboxes and image and whatnot are probably overkill. If the form is only used to send email to you, do what Paul says and code the email address into the server-side script, not the form. If the user can offer another address to which a copy of the message will be forwarded, consider carefully whether such a facility is worth the risk.

Contrary to popular opinion, spammers do not spend their days surfing the web looking for contact forms - they're much too busy finding sure-fire stock options and unlikely quasi-medical contraptions. Instead, they've got bots to trawl the net looking for things that look like mailing scripts. So make life difficult for them - don't call your script "formmail.pl", call it "mattress.pl". Don't call the send-to address field "email", call it "dogkennel". That'll probably keep you safe enough from spam attack.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd