Re: Preventing outbound SPAM

We had to consider this when writing the nms formmail program. Formmails are the most badly abused CGI programs on the web. Here are what we recommend (and, whenever possible, enforce) in formmail.

Only ever allow the form to send email to a fixed set of email addresses. Most spammers will test formmail programs by trying to get an email sent to themselves. If you don't send email to addresses that are input through the form then the spammer won't get his test email back and will probably abandon your site.
If you're sending to ad-hoc email addresses, then only send fixed text that is configured in the program and not taken from the form. If a spammer can't change what the email says then your system is of little use to him.
If you can't do either of the above, then force people to register (and check their email address is valid) before using your system to send email. That will discourage spammers as (for obvious reasons) they don't like to leave a trail.

As in so many areas of life, it's just a case of making your system harder to abuse than your neighbours'. If your system gives the spammers any trouble at all then they'll soon move on to a less well-guarded server.

--
<http://dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

Comment on Re: Preventing outbound SPAM

Replies are listed 'Best First'.
Re^2: Preventing outbound SPAM by hv (Prior) on Jun 02, 2006 at 10:17 UTC
As in so many areas of life, it's just a case of making your system harder to abuse than your neighbours'. If your system gives the spammers any trouble at all then they'll soon move on to a less well-guarded server. This is not my experience - my (work) logs show that we often get repeated attempts at the same script from the same IP address, or from different IP addresses but with the same payload (including the same throwaway target email address) over a period of time. One particularly persistent guy has returned from the same IP address to the same script with the same payload once a month for at least the 6 months we've been logging enough to tell. Note that this is just logging the special case where people explicitly attempt to trick the script by inserting things like "`some text\ncc: email@address`" into random fields that look as if they might make it into email headers. (For what it's worth, we deal with this by logging such abuse, and blocking offending IP addresses for escalating periods of time.) Hugo	[reply] [d/l]
Re^2: Preventing outbound SPAM by UnderMine (Friar) on Jun 01, 2006 at 12:47 UTC
Thanks. Each form goes to only one email address which is one of the clients members. However there are hundreds of forms one for each member. Unfortunately the client does not believe that you should have to register to ask there members a question. But we are trying to change that. UnderMine	[reply]
Re^3: Preventing outbound SPAM by davorg (Chancellor) on Jun 01, 2006 at 12:52 UTC
Unfortunately the client does not believe that you should have to register to ask there members a question. But we are trying to change that. Your client needs to be introduced to the realities of the situation; registration or spam - pick one :-) -- <http://dave.org.uk> "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg	[reply]
Re^4: Preventing outbound SPAM by UnderMine (Friar) on Jun 01, 2006 at 12:59 UTC
Oh I agree with you there. Fixing the door after the horse has bolted is a pointless exercise. Catching a horse as it bolts is difficult and often painful. Not opening the door in the first place is simplist. I justwish life was simple UnderMine	[reply]
Re^5: Preventing outbound SPAM by marto (Cardinal) on Jun 01, 2006 at 13:42 UTC