|
Posted by C. (http://symcbean.blogspot.c on July 21, 2008, 9:42 am
Please log in for more thread options > Ima Lozer wrote:
> > maus...@firstdbasource.com says...
> >> Ima Lozer wrote:
> >>> I am in the process of writing an app for one of my sites that will
> >>> allow guests to send e-cards to other folks. The process is fairly
> >>> simple. First the sender selects a card graphic via a series of radio
> >>> buttons. Then he enters his and the recipient's name and email address.
> >>> Next he enters a message to the sender and clicks a button to send the
> >>> card. What I need help with is code to test the input in all appropriate
> >>> fields to ensure that no oen uses the script for black hat purposes. In
> >>> addition to anything else that may be an issue I'd like to address the
> >>> following.
>
> >>> 1) Ensure that the email addresses values entered (recipient and sender)
> >>> are both validly formatted (e.g. f...@bar.com) and contain one and only
> >>> one address each.
>
> >>> 2) The message contains text only. No attachments allowed.
>
> >>> I'm basically looking for ways to block the black hats from using this
> >>> for spam or spreading any malware. Direct assistance with this or being
> >>> pointed to a reference that addresses the subject would be appreciated
>
> >>> Thanks
> >>> DB
>
> >> I find that phpmailer can be easily modified to do the actual sending -
> >> you may need to configure SSL/TSL authenticated SMTP to your ISP
> >> outbound servers (unless you have full control over your ReverseDNS and
> >> your own SMTP server - in other words - if you do not fully own and
> >> control the IP address(es). If you do use DynamicDNS you will be
> >> blacklisted anyway. It seems to me to unfair, but fighting that is a
> >> losing proposition.
>
> >> You will want to take a look at some sort of Captcha to ensure only
> >> humans are interacting with your site. (ie. "enter at this funky-looking
> >> picture of this word and type in the word here...")
>
> > Thanks. I alrady have the script 100% functional. That is not the
> > issue. What I want to do is tighten it up for security. I need to test
> > the TO and FROM email addresses to ensure that the entry is a singular
> > validly formatted email address, and I wand to make sure that no black
> > hat uses the MESSAGE field to upliad anything that can harm the
> > recipient's system or my server. I'll look at phpmailer to see if it
> > has this type of code in it.
>
> The simplest way is to check for nl and cr characters ("\n" and "\r") in
> the from, and subject fields. If there are any, send it back.
>
> It works because each entry (i.e. To:, CC:, BCC:, etc.) needs to be on a
> separate line.
>
> Not perfectly foolproof, but it catches virtually all of the spammers.
> It only leaves the to: field - which you should control in your script,
> not from the form (i.e. use an id in the form and pull the actual email
> address from a file/database/array/whatever).
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
You really, really must check that the requester's address is valid
and receiving mail - when a user requests requests a message to be
sent put it in a holding a queue then send back a message to the
requester with a URL which will release the ecard.
I don't even want to conjecture about how this could be abused
otherwise.
It won't stop people using throwaway addresses, but at least this
covers your responsibilities regarding due diligence.
C.
| 
XML Sitemap