Re: Matt Wright's formMail

[drieux]

On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez wrote:
[..]
> The problems seem to be that it uses the Referer environmental variable to
> exclude spammers and it gives the option of encoding data in the URL. I've
> been told both are considered security risks. My ISP does not think even 
> the
> latest release addresses these issues and refuses to let Formmail on its
> servers.
[..]

in the main I have heard the same things - I can appreciate that
ISP's are at liberty to do as they will - I was just trying to
track down my exposure - given as our ISP is running v1.92....

it could be that if one's ISP is doing a lot of virtual hosting
then the simplification of

        @referers = ('wetware.com','199.108.16.17');

could get messy.... hence the following guard code:

        sub check_url {

        # Localize the check_referer flag which determines if user is 
valid.                  local($check_referer) = 0;

     # If a referring URL was specified, for each valid referer, make sure 
    #
     # that a valid referring URL was passed to FormMail.                  
    #

        if ($ENV{'HTTP_REFERER'}) {
                foreach $referer (@referers) {
                if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
                        $check_referer = 1;
                        last;
                }
                }
        } else { $check_referer = 1; }

        # If the HTTP_REFERER was invalid, send back an 
error.                                  if ($check_referer != 1) 
{ &error('bad_referer') }
        }

is not sufficiently robust enough????

where that code is preventing spamming is with:

        @recipients = &fill_recipients(@referers);

        sub fill_recipients {
        local(@domains) = @_;
        local($domain,@return_recips);

        foreach $domain (@domains) {
                if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
                $domain =~ s/\./\\\./g;
                        push(@return_recips,'^[\w\-\.]+\@\[' . $domain . '\]');
                } else {
                $domain =~ s/\./\\\./g;
                $domain =~ s/\-/\\\-/g;
                push(@return_recips,'^[\w\-\.]+\@' . $domain);
                }
        }

        return @return_recips;
        }

and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is suppose to go.

As for 'using old perl' - I'm not sure that is an 'issue'? is it?
since this is running in a 5.6 environment.....

or am I missing something here???


ciao
drieux

---


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]