[thelist] formmail sending to different recipients

Keith cache at dowebscentral.com
Tue May 14 11:18:01 CDT 2002


At 01:51 PM Thursday 5/9/02, Martin wrote:

>On Thursday, May 9, 2002, at 08:37  pm, Robert Crosbee wrote:
>
>>Anyone know of a way, or mailform that will allow you to have the user
>>select the department the email should go to and have to form deliver to
>>that selected recipient? i have a list of 6 different recipients that i
>>would need the form to be mailed to.
>
><select name="email_to">
>    <option value="accounts at domain.com">Our accounts dept</option>
>    <option value="marketing at domain.com">Our marketing people</option>
>    <option value="sales at domain.com">Our sales droids</option>
></select>


Whoa! If we're talking formMail.pl as the mailer script this tactic will
open the script to abuse. The recipient(s) should never be passed by the
form, they should be hard-coded on the script or picked up from a server
based list. If the sender can determine the recipient the script becomes an
email relay script that spammers will love to use.

The older versions of formMail.pl allowed the recipient(s) to be passed
from the form, attempting to rely on the http_referer to guarantee that
someone was not sending their own list of recipients. Http_referrer is so
easy to fake that formMail.pl quickly became the defacto email relay for
spammers. The newer versions of formMail.pl do not allow the recipient(s)
to come from anywhere but the server.

A safe alternative:

<select name="email_to">
    <option value="accounts">Our accounts dept</option>
    <option value="marketing">Our marketing people</option>
    <option value="sales">Our sales droids</option>
</select>

and then have the script add the domain to the partial email address being
passed from the form. An easier alternative, list the recipients in an
array on the script (@recipients) and have the values of the email_to
options simply be the ordinal position in the array for that recipient:
$recipients[$email_to] would give you the selected recipient.

Safe, sane, and consensual .applies to coding too.....;-)



keith

cache at dowebscentral.com




More information about the thelist mailing list