Actually, it wasn't too long ago that someone posted a message here saying "HELP Spammers have been using my cgi mailer to mass people and my ISP is threatening to shut me down!".
When dealing with email.. always taint check and sanitize data. Never allow someone to post the "To" or "Cc" address, because while your javascript and html maxlength's prevent me from using my browser to submit data to your form, I can still use WWW::Mechanize or LWP to annihilate the crap out of your server. And those looking with nefarious purposes will do the same. Server side check the data coming in, and if you must have someone setting the "to" field, make sure there's some sort of authentication and/or rate limit to the sending built in. Perl gives you enough rope to hang yourself, and the rest of the internet along with you.. please be careful ;) On Thu, Jul 08, 2004 at 06:50:14PM +0200, Gunnar Hjalmarsson wrote: > Randal L. Schwartz wrote: > >Werner Otto writes: > >>Randal L. Schwartz wrote: > >>>Do *not* send email to addresses taken from forms. Ever. > >> > >>why is that? > > > >Because you have no authentication of the requestor. Any fool can go > >to your website, enter [EMAIL PROTECTED], and all of a sudden, I > >get a big PDF shoved down my email box. Repeatedly. And yet it > >wasn't *me* that requested that. And yet I'll have no clue, except > >"it came from you" and you'll have no clue except "it came from this > >IP addr". > > > >No. Do not go from web to mail. Bad idea, unless you've fully > >round-tripped the web requestor from a real mail address. > > I think you are exaggerating, Randal. How much convenience are you > ready to sacrifice in order to fight possible abusers? > > If you want to contact me privately, you can click the link below. If > you fill the form, including your own email address, and submit it, > you'll receive a copy of the message. That's for your record, for your > convenience. Personally I think that makes sense. > > That said, spammers and other abusers should certainly be taken into > consideration when dealing with mail via the web. > > -- > Gunnar Hjalmarsson > Email: http://www.gunnar.cc/cgi-bin/contact.pl > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > <http://learn.perl.org/> <http://learn.perl.org/first-response> > > -- Brad Lhotsky <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
