At 4:02 PM -0700 4/12/02, Andrew Daviel wrote: >One idea that occurred to me was to set a cookie in a CGI-generated >no-cache web bug (or small icon) that the user would include with >their form. The mail >script would check for the correct cookie. It could be a one-time unique ... >Or, more simply, your users could be told to set a particular hidden >form value and the script set to require it. Clearly an abuser would be >able to read the HTML and set the value, but it would block the vast I fail to see how either of these would do anymore than give you a false sense of security. You use these techniques. A bunch of people install them, and then a month later spammers are using a formmail exploit that takes them into account by fetching the webbug, getting the cookie, and submitting the form. (Or reading the script for the hidden value, and then using it.) Sure, it takes a few more seconds for the exploit to run, but that hardly matters. >While an enumerated list of recipients can be used, that adds a >maintenance problem in adding new users. In any good web solution, writing the administration tools always takes longer than writing the end-user code. Spammers make administration harder. It's a fact of life, and it isn't going to go away. -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ nazgulat_private I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 11:39:22 PDT