I don't like SSI (and fortunately only one existing customer was using it, so I only support it on one site :) but I could require ... what, an include of some kind? ... on the form page that generates a key. if the key is not there, the mail just doesn't go.

I can quickly and easily migrate all existing forms using a perl script, and require all new forms to use the key generator. Instructions can be integrated with the existing "how to".

I will admit first though, btrott has written a replacement program called stamp that I'm looking at right now. It looks *really* good, though it's not backward compatible. (Thanks to crazyinsomniac who pointed it out to me.)

I wasn't advocating SSI, just pointing out that the submission forms weren't static html. You've got the basic idea though... a carefully crafted perl -pi -e 's///' on the existing forms, along with an hourly cron job to update the "secret" key was all it took. Not a great solution, but perhaps good-enough for the short term.

-Blake

How about an encrypted string containing a timestamp (to avaoid the cron job), the recipient address and a secret key that must be passed as hidden input and validated by formmail?

alex pleiner <alex@zeitform.de>
zeitform Internet Dienste