in reply to Security of Mail Script

Well, they can spam the recipient mentioned in the form (that is, whoever is referred to with '12345'). Now, if there's just a few of those 'keys', no spammer will bother. But if you have thousands of people in your database, and the keys can be easily guessed (for instance, because you use consecutive numbers), a spammer can use the form by just guessing keys.


Replies are listed 'Best First'.
Re: Re: Security of Mail Script
by arturo (Vicar) on Feb 09, 2004 at 15:56 UTC

    Hrm, makes me think that one way of doing it might be to use a hashed value of ( the email address plus a secret key ) in order to specify the recipient. Those who want to receive mail at a specific address via the form could be given the hashed value. Although it obscures the actual destination, it's no protection against a spammer who doesn't care who's on the other end (which is, of course, the overwhelming majority of spammers).

    If not P, what? Q maybe?
    "Sidney Morgenbesser"