its a nice point that you have brought up, but i suggest that after making the text read only, u mention y u have done so.In order to prevent misuse / spam etc, genuine users will understand.

Myself I havent been on the recieving end of such spam from script abuse, however there hace been instances of "your friend XYZ wants you to see this site" which just have the subject matter in this format to mislead users. both yahoo and hotmail caught such mails (junk / bulk) while genuine tell your friend mails got passed on to me directly.

on another note, is this script .net based? if so any chances of letting me have it :)

I was worried enough about it that I use a script that fires up the end user’s Outlook. We are a BtoB and I know that a lot of business are using MS email, so I don’t think we take too much of a hit that way. But I know for sure they won’t be using our site, bandwidth, et. al. for spamming reasons.

Also, this way the person getting the email knows we are not spamming them, someone that knows them sent them the email, not us. No IP's that lead to us in the header, etc.

I suggest that after making the text read only, u mention y u have done so.

Excellent suggestion. I will do that. Including a link to your privacy policy is a good idea as well.

On another note, is this script .net based? if so any chances of letting me have it :)

PHP

you can also limit X messages per Y minute(s) from same IP.

What about hiding the textarea altogether? That way the default message is always there but never seen.

To prevent abuse, you can make the textarea readonly. That way, they see what they are sending
but cannot alter it.

You don't want to make the message contents any part of the form submission. An attacker will simply submit whatever POST data they want regardless of whether your textarea was flagged as readonly or not.

Another trick you can use to make distributed automation of your script that bit harder is to make form field names a function of $REMOTE_ADDR. One way is to use MD5 based on a secret value, for example:

$fieldname_from = md5("from".$REMOTE_ADDR."somesecret");

Then at the top of your submit handler:

$from = $$fieldname_from;

And where you render the form:

<input type='text' name='<?php echo($fieldname_from)?>'>

This way, the form input names are unique for every IP address, and impossible to determine without knowledge of the words "from" and "somesecret". This basically means an attacker either needs access to your source code, or has to develop a script to submit a GET request for the form, parse the HTML to determine which field names are which etc. etc.

What about hiding the textarea altogether? That way the default message is always there but never seen.

I was going to suggest something similar. Don't even use the contents of the textarea as the message body, just lock it, have an explanation, and when the form is posted, ignore what they give you and put the real message into the email. Then if a spammer tries to be tricky by modifying post data, he's only ever going to be promoting your site anyway. ;)

HI

>>DMorrison

Another trick you can use to make distributed automation of your script that bit harder is to make form field names a function of $REMOTE_ADDR. One way is to use MD5 based on a secret value, for example:

How do you get the resulting data in to the database, if the name changes? i cant figure that one out. I really like your solution, though.

Kind Regards
/Hafnius

Go ahead and put the senders IP address right in the message.

Sent by : foo@foofoo.com
From : 123.123.123.123 at foo.com
On : Funday 7, 2007

That will stop most problems in their tracks. To a email abuser - they are after anonimity to the max.

Hmm... Good topic. My script notifies me anytime a friend is referred.

How do you get the resulting data in to the database, if the name changes? i cant figure that one out. I really like your solution, though.

The script makes use of variable variables:

[php.net...]

Here's an example script you could run to see how it works (assuming register_globals is on):

<?php
$formname_fruit = md5("fruit".$REMOTE_ADDR);

if ($submit)
{
$fruit = $$formname_fruit;
echo("<p>You typed in : ".$fruit."</p>");
}

echo("<form>");
echo("What is your favorite fruit?<br>");
echo("<input type='text' name='".$formname_fruit."'><br>");
echo("<input type='submit' value='Submit'>");
echo("</form>");
?>

So, whilst the value of $formname_fruit is unique for every unique IP, this doesn't bother your script, which uses the $$ operator to load the value of the variable variable ($$formname_fruit) into the variable $fruit, which you then go on to add to your database or do whatever you like with.