Email form weirdness

Discussion in 'HTML' started by Neal, Dec 7, 2004.

  1. Neal

    Neal Guest

    I got an email from the email form on the site I maintain (NMS Formmail).
    I have it configured to send REMOTE_HOST, REMOTE_ADDR, HTTP_USER_AGENT and
    HTTP_REFERER. The referer should be http://opro.org/email.html because
    that's where the form is at.

    This email, however, did not contain the referer. The other 3 were there.
    The HTTP_USER_AGENT was:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser
    [avantbrowser.com]; .NET CLR
    1.1.4322)

    I'm under the impression that NMS is rather secure. So what happened here?
    Should I be worried? Should I do something about this? Or was this normal
    in some fashion?
    Neal, Dec 7, 2004
    #1
    1. Advertising

  2. Neal wrote:
    > I got an email from the email form on the site I maintain (NMS
    > Formmail). I have it configured to send REMOTE_HOST, REMOTE_ADDR,
    > HTTP_USER_AGENT and HTTP_REFERER. The referer should be
    > http://opro.org/email.html because that's where the form is at.
    >
    > This email, however, did not contain the referer. The other 3 were
    > there. The HTTP_USER_AGENT was:
    >
    > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser
    > [avantbrowser.com]; .NET CLR
    > 1.1.4322)
    >
    > I'm under the impression that NMS is rather secure. So what happened
    > here? Should I be worried? Should I do something about this? Or was this
    > normal in some fashion?


    I don't know if this is useful, but I get the same
    thing when I send email from my own form
    http://home.no.net/ingernet/cont.php
    using Firefox. Only when I use Opera or Internet
    Explorer, the referring page is included.


    --
    Inger Helene Falch-Jacobsen
    http://home.no.net/ingernet/
    Inger Helene Falch-Jacobsen, Dec 7, 2004
    #2
    1. Advertising

  3. Neal

    Neal Guest

    Inger:

    > I don't know if this is useful, but I get the same thing when I send
    > email from my own form
    > http://home.no.net/ingernet/cont.php
    > using Firefox. Only when I use Opera or Internet Explorer, the referring
    > page is included.


    Just tested with Firefox, it sends the referer.

    Anyone using Avant want to send me an obvious test message to see if it
    leaves off the referer by default? Say "martini" or something I'll
    recognize...
    Neal, Dec 7, 2004
    #3
  4. Neal

    Mark Parnell Guest

    Previously in alt.html, Neal <> said:

    > I got an email from the email form on the site I maintain (NMS Formmail).
    > I have it configured to send REMOTE_HOST, REMOTE_ADDR, HTTP_USER_AGENT and
    > HTTP_REFERER. The referer should be http://opro.org/email.html because
    > that's where the form is at.
    >
    > This email, however, did not contain the referer. The other 3 were there.


    Many ISPs and proxy servers do not send the REFERER header, or send a
    spoofed one. This will probably be the first of many. :)

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Dec 7, 2004
    #4
  5. Inger Helene Falch-Jacobsen wrote:

    > I don't know if this is useful, but I get the same thing when I send
    > email from my own form
    > http://home.no.net/ingernet/cont.php
    > using Firefox. Only when I use Opera or Internet Explorer, the referring
    > page is included.
    >
    >


    Ping Beauregard T. Shagnasty:
    I got your mail, with referer
    http://home.no.net/ingernet/cont.php
    and
    Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
    rv:1.7.5) Gecko/20041107 Firefox/1.0
    and your IP address - you're in the States!

    My browser is
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv:1.7) Gecko/20040707 Firefox/0.8
    About time to upgrade? :)


    --
    Inger Helene Falch-Jacobsen
    http://home.no.net/ingernet/
    Inger Helene Falch-Jacobsen, Dec 7, 2004
    #5
  6. Inger Helene Falch-Jacobsen wrote:

    > Ping Beauregard T. Shagnasty:


    Hey there!

    > I got your mail, with referer
    > http://home.no.net/ingernet/cont.php
    > and
    > Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107
    > Firefox/1.0
    > and your IP address - you're in the States!


    That is all correct. Normally, I have the referer box unchecked. If
    you add the PrefBar extension, you can make it readily available on
    the toolbar. Works in both Moz and Firefox.
    http://home.rochester.rr.com/bshagnasty/images/mozbar.png

    > My browser is
    > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707
    > Firefox/0.8
    > About time to upgrade? :)


    Yes. And Thunderbird 1.0 was just released as well.

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 7, 2004
    #6
  7. Neal

    Mark Parnell Guest

    Previously in alt.html, "Beauregard T. Shagnasty"
    <> said:

    > Yes. And Thunderbird 1.0 was just released as well.


    Thanks for that - hadn't seen it yet. Downloading now... :)

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Dec 7, 2004
    #7
  8. Beauregard T. Shagnasty wrote:

    > That is all correct. Normally, I have the referer box unchecked. If you
    > add the PrefBar extension, you can make it readily available on the
    > toolbar. Works in both Moz and Firefox.
    > http://home.rochester.rr.com/bshagnasty/images/mozbar.png


    I already have the Web Developer bar, and it does
    the same thing. You're a genious! I get the
    referer now that Disable Referrer Logging is
    unchecked. And another contact form that just gave
    me an error message earlier this evening, works
    perfectly now! Wow!
    I also learnt that referer is correctly spelled
    with 2 r's in the middle. Amazing how much
    knowledge one can gather in just a few hours... ;-)

    >> About time to upgrade? :)


    > Yes. And Thunderbird 1.0 was just released as well.


    I'll get them both as soon as possible (maybe get
    some sleep now and do it tomorrow).


    --
    Inger Helene Falch-Jacobsen
    http://home.no.net/ingernet/
    Inger Helene Falch-Jacobsen, Dec 8, 2004
    #8
  9. Neal

    Neal Guest

    Mark Parnell:

    > Many ISPs and proxy servers do not send the REFERER header, or send a
    > spoofed one. This will probably be the first of many. :)


    Yep. I confirmed this by turning off referer support in Opera. I had never
    encountered this before.

    I wonder why people would want to not send the referer...
    Neal, Dec 8, 2004
    #9
  10. Neal

    Neal Guest

    Beauregard T. Shagnasty:

    > Normally, I have the referer box unchecked.


    Why? I request the referer in order to confirm that no other entity is
    trying to hack into my mail form. Am I being stupid? (I do that
    sometimes...)
    Neal, Dec 8, 2004
    #10
  11. Neal

    Mark Parnell Guest

    Previously in alt.html, Neal <> said:

    > Yep. I confirmed this by turning off referer support in Opera. I had never
    > encountered this before.


    Yep, forgot to mention browsers. :)

    > I wonder why people would want to not send the referer...


    Privacy I guess.

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Dec 8, 2004
    #11
  12. Inger Helene Falch-Jacobsen wrote:

    > Beauregard T. Shagnasty wrote:
    >
    >> That is all correct. Normally, I have the referer box unchecked.
    >> If you add the PrefBar extension, you can make it readily
    >> available on the toolbar. Works in both Moz and Firefox.
    >> http://home.rochester.rr.com/bshagnasty/images/mozbar.png

    >
    > I already have the Web Developer bar, and it does the same thing.
    > You're a genious!


    Awwww... thanks.

    > I get the referer now that Disable Referrer Logging is unchecked.
    > And another contact form that just gave me an error message earlier
    > this evening, works perfectly now! Wow!


    Just remember that you can't count on the referrer for anything.

    > I also learnt that referer is correctly spelled with 2 r's in the
    > middle. Amazing how much knowledge one can gather in just a few
    > hours... ;-)


    Yes, it is spelled with two r's, except the guy who invented it years
    ago couldn't spell, and nobody thought to tell him about it.

    >> Yes. And Thunderbird 1.0 was just released as well.

    >
    > I'll get them both as soon as possible (maybe get some sleep now
    > and do it tomorrow).


    Have fun.

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 8, 2004
    #12
  13. Neal

    Neal Guest

    On Wed, 8 Dec 2004 15:41:38 +1100, Mark Parnell
    <> wrote:

    > Previously in alt.html, Neal <> said:
    >
    >> Yep. I confirmed this by turning off referer support in Opera. I had
    >> never
    >> encountered this before.

    >
    > Yep, forgot to mention browsers. :)
    >
    >> I wonder why people would want to not send the referer...

    >
    > Privacy I guess.


    But I already know from where the email should have originated. If the
    same CGI handles multiple forms, at least I know the set of them. The
    referer merely tells me which one.

    Or am I missing something?
    Neal, Dec 8, 2004
    #13
  14. Neal

    Mark Parnell Guest

    Previously in alt.html, Neal <> said:

    > But I already know from where the email should have originated. If the
    > same CGI handles multiple forms, at least I know the set of them. The
    > referer merely tells me which one.


    For emails, yes.

    > Or am I missing something?


    In theory the referer header is sent every time you load a page, so for
    every page requested, you can tell which page they came from previously.
    That works across domains, so I guess some people may not want you to
    know that they followed a link to your site from a porn site, or that
    sort of thing.

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Dec 8, 2004
    #14
  15. Neal wrote:
    > Beauregard T. Shagnasty:
    >
    >> Normally, I have the referer box unchecked.

    >
    > Why? I request the referer in order to confirm that no other entity
    > is trying to hack into my mail form. Am I being stupid? (I do that
    > sometimes...)


    As Mark said. So you don't know I came from a porn site. :-D

    --
    -bts
    -This space intentionally left blank.
    Beauregard T. Shagnasty, Dec 8, 2004
    #15
  16. Neal

    Neal Guest

    Beauregard:
    > Neal:
    >> Why?

    > As Mark said. So you don't know I came from a porn site. :-D


    But I know YOU came from a porn site.
    Neal, Dec 8, 2004
    #16
  17. Neal

    Mark Parnell Guest

    Mark Parnell, Dec 8, 2004
    #17
  18. Neal

    Toby Inkster Guest

    Neal wrote:

    > But I already know from where the email should have originated. If the
    > same CGI handles multiple forms, at least I know the set of them. The
    > referer merely tells me which one.


    If you want to know which one, pass a hidden parameter in the form:

    <form action="blah" method="post">
    <!-- etc -->
    <input name="my-referer" value="fluffy form" type="hidden">
    <input type="submit">
    </form>

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me ~ http://tobyinkster.co.uk/contact
    Toby Inkster, Dec 9, 2004
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SnVzdGlu?=

    Problem Sending email form web form

    =?Utf-8?B?SnVzdGlu?=, Feb 21, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    2,493
    =?Utf-8?B?U2hhdW4=?=
    Feb 21, 2005
  2. steve
    Replies:
    4
    Views:
    528
    Brian van den Broek
    Mar 13, 2005
  3. Doug Lerner
    Replies:
    5
    Views:
    118
    Richard Cornford
    Jan 22, 2006
  4. Replies:
    13
    Views:
    464
    Randy Webb
    May 14, 2006
  5. Rob

    Multiple form weirdness in IE6

    Rob, Jan 31, 2008, in forum: Javascript
    Replies:
    3
    Views:
    112
Loading...

Share This Page