On Fri, 12 Apr 2002, Chris Murley wrote: > So, we wrote a wrapper that checks to see hom many emails the cgi is tring > to send to, if it's more than 4, we stop the email from going out. The attempts I saw in the last week were coming from all over; many unresolved (probably Far East) addresses. One guy on Earthlink was very persistant. I saw some attempts trying to send to 30 recipients, but most were going to one or sometimes two. The AOL fraud attempts were sending the same message from a variety of different addresses. While an enumerated list of recipients can be used, that adds a maintenance problem in adding new users. One idea that occurred to me was to set a cookie in a CGI-generated no-cache web bug (or small icon) that the user would include with their form. The mail script would check for the correct cookie. It could be a one-time unique cookie, or a random string, perhaps hashed from the server address. Anything could be defeated on a one-time basis, but it would take a bit of effort. Or, more simply, your users could be told to set a particular hidden form value and the script set to require it. Clearly an abuser would be able to read the HTML and set the value, but it would block the vast majority of automated abuse ( send to http://some.org/cgi-bin/formmail.pl with recipient=dropbox and subject=http://some.org/cgi-bin/formmail.pl, then just build a list from the incoming mail) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 securityat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Apr 14 2002 - 14:54:30 PDT