Re^4: No Reply message

Thanks a lot, kennethk. I agree with you. It is lack of time that tempts to ask a question in a new thread when I see that I need to rephrase it and can't wait to get the answer.
May I ask you one more question. Will it protect if I do the following.
First of all I do not allow attachements. All I need is to reply to the indicated email address with the link to my site with the generated ID. When it is clicked I got confirmation and register this user. When the email address is entered in the form I get it on the server side and make sure that there is only one there. Now, the bot may keep bombarding my form with addresses and pressing submit in the loop. But what I do is I do not accept submissions from the same IP with frequency higher than let's say 5 mins.
What do you think?

Comment on Re^4: No Reply message

Replies are listed 'Best First'.
Re^5: No Reply message by chromatic (Archbishop) on Mar 21, 2009 at 02:43 UTC
I do not accept submissions from the same IP with frequency higher than let's say 5 mins. You cannot assume that a single IP address represents a single user. Perhaps with IPv6 that will be true, but it's not at all true for IPv4. A cookie or some other form of session data is much more reliable -- but beware that malicious clients may refuse to return your session data or may return stale but cached session data.	[reply]
Re^5: No Reply message by kennethk (Abbot) on Mar 20, 2009 at 23:55 UTC
Those are all good things, and generally follow general good practice. The most important thing you didn't mention is that you not allow the client to modify the subject/body of the e-mail, since this would allow them to send out their advertisements. Part of this should include making sure that the address provided is actually just an e-mail address (see Code_injection). A good tool there would be Regexp::Common::Email::Address. If you are more paranoid (like me), you could also include a captcha, those funny looking character jpegs.	[reply]