Perl and Sendmail

[Bill H]

Hi - this may not be the correct group, but you guys seem to know so
much about perl I thought you may be able to tell me if this will work.

I have a contact form on my website that is using perl, and recently
someone has decided to use it to send spam by putting MIME commands in
the comment box and using a bcc. I made a change to the contact form
that now inserts "<!>" between each letter of the information that is
entered in the formfields and passed to the perl program when they hit
submit. Since this is not used in html, outlook express shows me the
text the way it should when I receive it. The question is, if this is
done, will it stop sendmail from processing any commands in the
comments?

Thanks again,

Bill H

 

[l v]

Hi - this may not be the correct group, but you guys seem to know so
much about perl I thought you may be able to tell me if this will work.

I have a contact form on my website that is using perl, and recently
someone has decided to use it to send spam by putting MIME commands in
the comment box and using a bcc. I made a change to the contact form
that now inserts "<!>" between each letter of the information that is
entered in the formfields and passed to the perl program when they hit
submit. Since this is not used in html, outlook express shows me the
text the way it should when I receive it. The question is, if this is
done, will it stop sendmail from processing any commands in the
comments?

Thanks again,

Bill H

Highly unlikely that this will stop the spam as the spammer most
typically does not use the web form itself, but the form action with the
form fields appended to the URL. Additionally the bcc'd email is making
it out onto the internet. You must prevent this from occurring. Change
your Perl script not to send the email, or remove the recipient, if it
is not addressed to your email domain(s). Secondly and just as
important, do not code the form nor the Perl script to use an email
address but a value that your Perl script translates to the email
address. For example. The form value for sending an email to the tech
support group is "techSupp". The Perl script changes "techSupp" to
"(e-mail address removed)". Or maybe you simply append your domain
(@mydomain.com) the end of "techSupp". By not allowing the email to
make it to the public internet, the spammer will move on.

Len

Len

 

[Bill H]

Highly unlikely that this will stop the spam as the spammer most
typically does not use the web form itself, but the form action with the
form fields appended to the URL. Additionally the bcc'd email is making
it out onto the internet. You must prevent this from occurring. Change
your Perl script not to send the email, or remove the recipient, if it
is not addressed to your email domain(s). Secondly and just as
important, do not code the form nor the Perl script to use an email
address but a value that your Perl script translates to the email
address. For example. The form value for sending an email to the tech
support group is "techSupp". The Perl script changes "techSupp" to
"(e-mail address removed)". Or maybe you simply append your domain
(@mydomain.com) the end of "techSupp". By not allowing the email to
make it to the public internet, the spammer will move on.

Len

Len

Len - thanks for responding - after reading my message I realized I had
implied that the contact form itself was doing the changing. The
contact form just sends the values to the perl script which then places
the information into an html page and emails it directly to me. The
address is hardcoded in the perl script. What was happening is someone
was putting MIME and BCC stuff in the comments box which sendmail was
then interpreting. So I figured, if I put <!> in between every letter
that was entered in the contact form (doing this in the perl script)
and then sending the information to sendmail that it wouldn't interpret
the information cause it was broken up. All the header information for
the sendmail is hard coded in perl (From & To are both my addresses,
subject is static).

Bill H www.ts1000.us

 

[Martie]

On 9 May 2006 07:49:22 -0700, Bill H wrote...

Hi - this may not be the correct group, but you guys seem to know so
much about perl I thought you may be able to tell me if this will work.

I have a contact form on my website that is using perl, and recently
someone has decided to use it to send spam by putting MIME commands in
the comment box and using a bcc. I made a change to the contact form
that now inserts "<!>" between each letter of the information that is
entered in the formfields and passed to the perl program when they hit
submit. Since this is not used in html, outlook express shows me the
text the way it should when I receive it. The question is, if this is
done, will it stop sendmail from processing any commands in the
comments?

Thanks again,

Bill H

You want to be really careful with any forms you create that send an email. A
form is just a HTML document that's pointing to a "action" that processes the
data being sent. If the program receiving the form isn't validating that data,
someone can create their own form on their PC, point it to your server and
program, and add BCC headers to send out spam. As an example if your form is
requesting an email address, you want to make sure that variable has no new line
characters that may be followed by BCC.

 

[Bill H]

On 9 May 2006 07:49:22 -0700, Bill H wrote...

You want to be really careful with any forms you create that send an email. A
form is just a HTML document that's pointing to a "action" that processes the
data being sent. If the program receiving the form isn't validating that data,
someone can create their own form on their PC, point it to your server and
program, and add BCC headers to send out spam. As an example if your form is
requesting an email address, you want to make sure that variable has no new line
characters that may be followed by BCC.

Thanks for pointing that out Martie. I added a check for the referer
and I also added in a number check where they have to enter in a 4
digit number that is displayed graphically. I built a random number
table with one entry for every second of the hour (3600 total) with
each number having 26 possible images to display. I pass the pointer to
the lookup table in a hidden field and when they submit the form I
compare what they entered with what is in the lookup table, if not
right it bounces them back. This should make it harder for them to use
the form to send spam since the number changes every second and the
image names don't reflect the actual number used.