Need help!!! To prevent external use of my cgi (email script). 2

[ggordon]

I have numerous CGI email scripts.

I need to figure out how to possibly add (as small amount of code as possible) to each script that would simply require that the CGI script only be called from a form that is located on my server.

I don't want someone .. to be able to create a form on their server, and send it through MY cgi script.

Is there a small bit of code that I can add into my already existing cgi scripts .. that would prevent outside SPAMMING of my email cgi script?

Can someone help? I am in desperate need of assistance.

I need to know the best way to lock this down .. and hopefully it is something I can add into any of my email cgi scripts. Please let me know what you think.

Thanks,
Gary


Gary M. Gordon

 

[PaulTEG]

if ($ENV{'HTTP_REFERER'} ne "MY SERVER") {
   print "I don't think so";
} else {
   go_ahead_and_send_mail;
}

or you could look at the name of the document $0 i think
You can check out the $ENV hash, it'll give you a few good ideas

HTH
--Paul

cigless ...

 

[ggordon]

Paul,

I apologize that I am quite a novice at Perl, so please don't mind my elementary questions.

<b>You said:</b>

if ($ENV{'HTTP_REFERER'} ne "MY SERVER") {
print "I don't think so";
} else {
go_ahead_and_send_mail;
}


<b>So, .. I would set this up as:</>

if ($ENV{'HTTP_REFERER'} ne "mydomain.com") {
print "You don't have permission to use this script.";
} else {
go_ahead_and_send_mail;
}

==============================

1. I changed the "MY SERVER" part.
2. I changed the "print" line.

==============================

So ... now how do I place this into my script so it will work properly. I'm just confused.

Do I place:

if ($ENV{'HTTP_REFERER'} ne "mydomain.com") {
print "You don't have permission to use this script.";
} else {

at the top of the page ...
and then ... put everyting else into a subroutine called:

go_ahead_and_send_mail

IS THAT RIGHT? Again, I apologize, I just need ot know how to set this up?

And .. will the prevent outside SPAMMERS from being able to send emails through the script .. if their form isn't on my server?

Thanks,
Gary


Gary M. Gordon

 

[duncdude]

yep - in the latter part of the if statement


Kind Regards
Duncan

 

[ChrisHunt]

My understanding is that some people's browsers are configured not to send anything in the HTTP_REFERER field, and that it's fairly easy to spoof anyway.

ggordon, are you worried about people using your script to send you spam, or are you worried that they'll use it to spam others.

Older versions of the formmail.pl script passed the destination address as a hidden form parameter. This was a big open door to spamming abuse. If you're still using a script like that, change it so that the destination address is hard-coded into the script, so that messages can't be sent to other people.

If you're worried about mail being sent to you, an easy step to take is to rename the script and the fields to names that conceal their purpose. Spammers have bots out crawling the net, looking for form actions like "formmail.pl" or fields like "message", "email", "name", etc. If your script is called "banana.pl" and the fields are "sausage", "egg" and "bacon" you're less likely to trigger the bot's interest.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[ggordon]

Thanks!
Gary

Gary M. Gordon