Email form weirdness

[Neal]

I got an email from the email form on the site I maintain (NMS Formmail).
I have it configured to send REMOTE_HOST, REMOTE_ADDR, HTTP_USER_AGENT and
HTTP_REFERER. The referer should be http://opro.org/email.html because
that's where the form is at.

This email, however, did not contain the referer. The other 3 were there.
The HTTP_USER_AGENT was:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser
[avantbrowser.com]; .NET CLR
1.1.4322)

I'm under the impression that NMS is rather secure. So what happened here?
Should I be worried? Should I do something about this? Or was this normal
in some fashion?

 

[Inger Helene Falch-Jacobsen]

I got an email from the email form on the site I maintain (NMS
Formmail). I have it configured to send REMOTE_HOST, REMOTE_ADDR,
HTTP_USER_AGENT and HTTP_REFERER. The referer should be
http://opro.org/email.html because that's where the form is at.

This email, however, did not contain the referer. The other 3 were
there. The HTTP_USER_AGENT was:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser
[avantbrowser.com]; .NET CLR
1.1.4322)

I'm under the impression that NMS is rather secure. So what happened
here? Should I be worried? Should I do something about this? Or was this
normal in some fashion?

I don't know if this is useful, but I get the same
thing when I send email from my own form
http://home.no.net/ingernet/cont.php
using Firefox. Only when I use Opera or Internet
Explorer, the referring page is included.

 

[Neal]

Inger:

I don't know if this is useful, but I get the same thing when I send
email from my own form
http://home.no.net/ingernet/cont.php
using Firefox. Only when I use Opera or Internet Explorer, the referring
page is included.

Just tested with Firefox, it sends the referer.

Anyone using Avant want to send me an obvious test message to see if it
leaves off the referer by default? Say "martini" or something I'll
recognize...

 

[Mark Parnell]

I got an email from the email form on the site I maintain (NMS Formmail).
I have it configured to send REMOTE_HOST, REMOTE_ADDR, HTTP_USER_AGENT and
HTTP_REFERER. The referer should be http://opro.org/email.html because
that's where the form is at.

This email, however, did not contain the referer. The other 3 were there.

Many ISPs and proxy servers do not send the REFERER header, or send a
spoofed one. This will probably be the first of many.

 

[Inger Helene Falch-Jacobsen]

I don't know if this is useful, but I get the same thing when I send
email from my own form
http://home.no.net/ingernet/cont.php
using Firefox. Only when I use Opera or Internet Explorer, the referring
page is included.

Ping Beauregard T. Shagnasty:
I got your mail, with referer
http://home.no.net/ingernet/cont.php
and
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.7.5) Gecko/20041107 Firefox/1.0
and your IP address - you're in the States!

My browser is
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7) Gecko/20040707 Firefox/0.8
About time to upgrade?

 

[Beauregard T. Shagnasty]

Ping Beauregard T. Shagnasty:

Hey there!

I got your mail, with referer
http://home.no.net/ingernet/cont.php
and
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107
Firefox/1.0
and your IP address - you're in the States!

That is all correct. Normally, I have the referer box unchecked. If
you add the PrefBar extension, you can make it readily available on
the toolbar. Works in both Moz and Firefox.
http://home.rochester.rr.com/bshagnasty/images/mozbar.png

My browser is
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707
Firefox/0.8
About time to upgrade?

Yes. And Thunderbird 1.0 was just released as well.

 

[Mark Parnell]

Previously in alt.html, "Beauregard T. Shagnasty"

Yes. And Thunderbird 1.0 was just released as well.

Thanks for that - hadn't seen it yet. Downloading now...

 

[Inger Helene Falch-Jacobsen]

That is all correct. Normally, I have the referer box unchecked. If you
add the PrefBar extension, you can make it readily available on the
toolbar. Works in both Moz and Firefox.
http://home.rochester.rr.com/bshagnasty/images/mozbar.png

I already have the Web Developer bar, and it does
the same thing. You're a genious! I get the
referer now that Disable Referrer Logging is
unchecked. And another contact form that just gave
me an error message earlier this evening, works
perfectly now! Wow!
I also learnt that referer is correctly spelled
with 2 r's in the middle. Amazing how much
knowledge one can gather in just a few hours... ;-)

Yes. And Thunderbird 1.0 was just released as well.

I'll get them both as soon as possible (maybe get
some sleep now and do it tomorrow).

 

[Neal]

Mark Parnell:

Many ISPs and proxy servers do not send the REFERER header, or send a
spoofed one. This will probably be the first of many.

Yep. I confirmed this by turning off referer support in Opera. I had never
encountered this before.

I wonder why people would want to not send the referer...

 

[Neal]

Beauregard T. Shagnasty:

Normally, I have the referer box unchecked.

Why? I request the referer in order to confirm that no other entity is
trying to hack into my mail form. Am I being stupid? (I do that
sometimes...)

 

[Mark Parnell]

Yep. I confirmed this by turning off referer support in Opera. I had never
encountered this before.

Yep, forgot to mention browsers.

I wonder why people would want to not send the referer...

Privacy I guess.

 

[Beauregard T. Shagnasty]

I already have the Web Developer bar, and it does the same thing.
You're a genious!

Awwww... thanks.

I get the referer now that Disable Referrer Logging is unchecked.
And another contact form that just gave me an error message earlier
this evening, works perfectly now! Wow!

Just remember that you can't count on the referrer for anything.

I also learnt that referer is correctly spelled with 2 r's in the
middle. Amazing how much knowledge one can gather in just a few
hours... ;-)

Yes, it is spelled with two r's, except the guy who invented it years
ago couldn't spell, and nobody thought to tell him about it.

I'll get them both as soon as possible (maybe get some sleep now
and do it tomorrow).

Have fun.

 

[Neal]

Yep, forgot to mention browsers.


Privacy I guess.

But I already know from where the email should have originated. If the
same CGI handles multiple forms, at least I know the set of them. The
referer merely tells me which one.

Or am I missing something?

 

[Mark Parnell]

But I already know from where the email should have originated. If the
same CGI handles multiple forms, at least I know the set of them. The
referer merely tells me which one.

For emails, yes.

Or am I missing something?

In theory the referer header is sent every time you load a page, so for
every page requested, you can tell which page they came from previously.
That works across domains, so I guess some people may not want you to
know that they followed a link to your site from a porn site, or that
sort of thing.

 

[Beauregard T. Shagnasty]

Beauregard T. Shagnasty:


Why? I request the referer in order to confirm that no other entity
is trying to hack into my mail form. Am I being stupid? (I do that
sometimes...)

As Mark said. So you don't know I came from a porn site. :-D

 

[Neal]

Beauregard:

Neal:
As Mark said. So you don't know I came from a porn site. :-D

But I know YOU came from a porn site.

 

[Mark Parnell]

But I know YOU came from a porn site.

Ah, but you don't know which one.

 

[Toby Inkster]

But I already know from where the email should have originated. If the
same CGI handles multiple forms, at least I know the set of them. The
referer merely tells me which one.

If you want to know which one, pass a hidden parameter in the form:

<form action="blah" method="post">
<!-- etc -->
<input name="my-referer" value="fluffy form" type="hidden">
<input type="submit">
</form>