On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez wrote: [..] > The problems seem to be that it uses the Referer environmental variable to > exclude spammers and it gives the option of encoding data in the URL. I've > been told both are considered security risks. My ISP does not think even > the > latest release addresses these issues and refuses to let Formmail on its > servers. [..]
in the main I have heard the same things - I can appreciate that ISP's are at liberty to do as they will - I was just trying to track down my exposure - given as our ISP is running v1.92.... it could be that if one's ISP is doing a lot of virtual hosting then the simplification of @referers = ('wetware.com','199.108.16.17'); could get messy.... hence the following guard code: sub check_url { # Localize the check_referer flag which determines if user is valid. local($check_referer) = 0; # If a referring URL was specified, for each valid referer, make sure # # that a valid referring URL was passed to FormMail. # if ($ENV{'HTTP_REFERER'}) { foreach $referer (@referers) { if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { $check_referer = 1; last; } } } else { $check_referer = 1; } # If the HTTP_REFERER was invalid, send back an error. if ($check_referer != 1) { &error('bad_referer') } } is not sufficiently robust enough???? where that code is preventing spamming is with: @recipients = &fill_recipients(@referers); sub fill_recipients { local(@domains) = @_; local($domain,@return_recips); foreach $domain (@domains) { if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) { $domain =~ s/\./\\\./g; push(@return_recips,'^[\w\-\.]+\@\[' . $domain . '\]'); } else { $domain =~ s/\./\\\./g; $domain =~ s/\-/\\\-/g; push(@return_recips,'^[\w\-\.]+\@' . $domain); } } return @return_recips; } and I have tested this anti-spam piece - and the only thing that survives is aimed where it is suppose to go. As for 'using old perl' - I'm not sure that is an 'issue'? is it? since this is running in a 5.6 environment..... or am I missing something here??? ciao drieux --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]