[BBLISA] spam & autoresponse webforms (fwd)
David Cogley
cogley at gibraltar.basespace.net
Fri Mar 12 16:33:18 EST 2004
Thank you for your response.
This is a custom script.
On your site, you
"Rate limit the usage of the form based on the IP address,
sender address, number of recipients, and number of times
the same recpient can receive email."
I'm not certain this would work for my web form since the hacker
downloaded my web page, modified it, and then used it to POST from
3 different addresses. A hacker who is that clever could POST from
any number of sites and to any number of recipients.
As it turns out, the "untainting" which I had done prevent any
damage. Since that time, I have modified the CGI script to:
1) truncate all input field value to a small number of characters,
2) processed the entry for the email address to discard all
characters after the email address, e.g., everything after
recipient at host.com
Nevertheless, how would I "rate limit the usage of the form"?
It sounds as though you would record all form accesses to a database
and then consult the database before processing form values.
David Cogley
More information about the bblisa
mailing list