Re: Securing mailing scripts
by marto (Cardinal) on Sep 15, 2005 at 14:59 UTC
|
| [reply] |
Re: Securing mailing scripts
by InfiniteSilence (Curate) on Sep 15, 2005 at 14:59 UTC
|
REFERER check ...
That can be spoofed.
IP time checker...
How does that stop people from using the script?
Message substitutions ...
Ok, but don't you want to send out an e-mail to multiple people?
Perhaps what you want is to use SSL to connect to your script and insist that the script be run only via the secure port (443)?
Celebrate Intellectual Diversity
| [reply] |
|
The IP checker would be used to stop automated form submissions in case all it's doing is automatically resubmitting the form for each email.
If the IP has a timestamp inside the "kill zone", the script will quit. This way only one message could be sent every 5 or 10 minutes.
I am aware that REFERER can be spoofed,that's why it's not the only security percaution I'm trying to take.
Thanks for your help!
"Age is nothing more than an inaccurate number bestowed upon us at birth as just another means for others to judge and classify us"
sulfericacid
| [reply] |
Re: Securing mailing scripts
by phaylon (Curate) on Sep 15, 2005 at 15:11 UTC
|
| [reply] |
|
| [reply] |
|
| [reply] |
|
In your original post you said you're filtering "To"; now you say "To:" is hardcoded.
For preventing mass mailing you may generate pictures on the fly and ask the "USER" to complete a field of the form with the content of the picture (text or number)
There's no point in using SSL unless you want to protect the contents of the message or you are using some means of auth (user/pass secret key etc) which I don't think is the case.
| [reply] |
Re: Securing mailing scripts
by jhourcle (Prior) on Sep 15, 2005 at 21:00 UTC
|
Where are the messages being sent?
Based on what you're saying in 'message substitutions', you're accepting as input the 'who to send to' type fields -- unless this is a 'mail this article to a friend' or similar, you typically don't need to take that sort of input from the user, as it's dependant on the submission form.
In the case where we were hosting the script for users on the system, I had users create configuration files (which contained required fields, message formatting rules, recipients, response to the submitter, etc), and they passed enough information to the system for it to locate their configuration file (user name, and path from their home directory).
This way, we could allow users on the system to use the script, while rejecting it being used as a backend for unaffiliated persons. (and so long as users have write access to the system, it's much more effective than referrer ... you could probably pass in a URL to get the configuration file, and have an acceptable pattern, and cache, but it's going to be much more complicated)
If you're allowing visitors to specify the recipient (e-cards, mail this article, etc.), I'd probably use rate limiting by IP, and some more general rate monitoring (if I see a sudden spike in usage, it might be an issue, even if it's coming from multiple IP addresses). I might also do some sort of monitoring of 'added' body content, if it's acceptable by the security rules, so that I can see if the the same/similar message body is being repeated over and over again.
| [reply] |
Re: Securing mailing scripts
by radiantmatrix (Parson) on Sep 15, 2005 at 20:56 UTC
|
With the aside that there is no such thing as "perfectly secure", you can get a long way with a CAPTCHA.
For those that may not be able to visit that site, a CAPTCHA is a program that can create and grade tests that are easy for a human to pass, but hard for a computer. Lots of big sites use them in the form of images that contain mangled strings -- enter the plain text that matches what's in the image, and you can reasonably assume the submitter is human.
Someone has even rolled a nice Perl implementation already.
<-radiant.matrix->
Larry Wall is Yoda: there is no try{} (ok, except in Perl6; way to ruin a joke, Larry! ;P)
The Code that can be seen is not the true Code
"In any sufficiently large group of people, most are idiots" - Kaa's Law
| [reply] |