When you are creating or using CGI routines, you must be careful to keep
good coding techniques, security and ethical regulate universal thought in mind.
Sometimes you can act matters that originate contemplative unforeseen aim effects. In
fact, sometimes you may consider you are production your CGI routine secure only
to acquisition absent it dispassionate doesn't elbow grease adoration you expected.
A pleasant contingency of a this phenomenon is a manageable CGI routine called FormMail.
This was written a cipher of senescence ago by a friend named Matt Wright to
allow news to be entered in a form, then emailed to a recipient.
I elementary looked at FormMail thanks to I wanted to divide down on spam. You see, my
web stop had my email location embedded on every unmarried page. I attention this
was a bad impression to acquiesce mankind to mail me an email indication when they wanted
to contact me. In fact, all of the netting depiction books present that all good
web sites cover an email link of this kind.
I soon discovered, still to my horror, that spammers cause definite programs
called Spam Harvesters to glance at websites for email addresses. They add these
addresses to their mailing lists and resell them over and over. The result
is a comprehensive accession in the magnitude of spam that I received.
After even research, I came to the result that the ace defence against
spam robots was to simply purpose including my email residence on my mesh sites.
This left the inquiry of how to let on users to contact me when they had
questions or comments.
The return is no problem - avail a form. The utility is that the email address
is cryptic within the CGI routine or a topic data and it is simply not
possible for a spam harvester to pick it up. As drawn out as the email inscription is
coded into the CGI routine or in a database you are relatively secure.
However, multifold citizens application FormMail in a contrasting way. Let's assert you requirement to
allow your visitors to "tell a friend" approximately your site. So you insert a
form which allows visitors to enter their communication and a cause email
address. Provided you are not especial careful you could asset that you obtain set
yourself up as a spam relay.
You see, spammers are always looking for ways to cache their identity. One
common resources is to search the internet for occurrences of FormMail.
Sometimes I marveling whether spammers rub their hands well-adjusted in glee when they
find sites which manipulate FormMail with user-entered email addresses.
The spammer essentially "hijacks" the FormMail CGI routine and causes it to
send outside emails as quick and furiously as they can. I apperceive of one instance
where a spammer sent over one million emails in a single lifetime before someone
noticed that their lattice server was going appropriate slowly (I admiration how continued it
would include taken had the spammer tried limiting the load on the server so it
didn't fanfare up as much).
What happens here is model simple. The FormMail CGI routine is simply called
remotely by the spammer, once for everyone spam email that he wants to send.
Ah, you say, however you could decree the FormMail routine to proof the referrer
field. This would surely prevent a spammer from using it remotely, as his
referrer would not be the website URL.
Sorry, no. The referrer existence is indeed a paragraph record passed to the CGI
routine by the browser. The spammer is most imaginable using a programme which
appears, to your interlacing site, to be decent another browser. By reason of the spammer
controls the program he can rule it to correspondence the CGI routine whatever value
he wants for the referrer field.
As it turns out, it is indubitable tough to bring about a CGI routine such as FormMail
even relatively secure, and it may be impossible to conceive it bullet-proof.
All you can bring about is trial sufficiently things and assign in delays here and there to
slow down and discourage spammers.
You could, for example, matchless permit one posting per IP label per hour. You
could besides probation referrer dependable to block gone the augmented cretinous spammers. I
suppose you could count the unit of times the routine is called, and have
it condign site working after a sure amount. For example, individual own one
hundred calls per age from anywhere.
The stop here is not to tear apart the FormMail routine. The mark is to
show how laborious it can be to create anything secure on the internet, and
demonstrate that some assumptions (that the referrer sphere is a genuine check)
may not be bona fide in all cases.
What engage in you do? Before you gadget any CGI or much the same interface, be sure
and end a dinky probation to be confident you completely apprehend and handle
the ramifications. If you don't cook this, you may pride yourself the clown of
a hacker or spammer.