[thelist] spammers - perpetrators

Phil Turmel pturmel-webdev at turmel.org
Fri Jan 25 18:36:43 CST 2008 

Bob Meetin wrote:
> This is an older thread, so I didn't strip out the original problem or 
> Phil's suggestions.  It took me a while to get back to this. 

I thought it looked strangely familiar....

> 
> I like/liked the idea of sending an email acknowledgement but if it's a 
> vulnerability then it goes south. 

Yes, it's vulnerable.  There really is no way to prevent a spammer from
bouncing off your webserver if you auto-acknowledge form submissions.
Having new spammer tricks annoy a webmaster is part of the job of a
webmaster.  Allowing your webserver to send spam to *others* is
absolutely unacceptable (and is likely to get your server blacklisted).

Not that you shouldn't acknowledge the submission--just do it in the web
page you serve up on successful submission.  Any *real* user will see that.

> 
> About the session-based random token - I set up a randomly generated, 
> hidden variable that is regenerated, every time the form is accessed, if 
> it does not exist the form will not submit.  Is this what you are 
> saying?  Is it adequate to check that the variable exists or must I 
> check that the variable matches when the form is submitted?

Yes, make sure it matches.  If it doesn't match or doesn't exist, the
user might have all cookies turned off, so a message to that effect
would be appropriate.  If you only check that the field exists, the
spammer can fill it with junk just like any other text field in the form.

> 
> Someone, perhaps Joel, said to test to make sure that the post is coming 
> from the website in question.  How would I go about that?  This is 
> shared hosting so the IP address of the server won't be absolute, but 
> undoubtedly a start.

Matching a session-specific random token achieves this on the side,
without having to check IP addresses.

> 
> About the database injection stuff, it is probably due to the above and 
> not qualifying the integrity of the content thoroughly enough.  That 
> seems easy enough to solve.
> 
> Much thanks, Bob
> 


You're welcome, and I hope this helps.

Regards,

Phil Turmel

More information about the thelist mailing list