Formmail blocked by Norton Internet Security

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Formmail blocked by Norton Internet Security

Anyone have a workaround?

Total Hosting

9:21 pm on Oct 7, 2003 (gmt 0)

Hi.

All of the form handlers I have seen (Perl and PHP) all allow you to limit the sender to the domain that is hosting the form script. Great. Keeps out spammers (somewhat).

However, it appears that Norton Internet Security will block forms set this way. If I disable NIS, it works great. If I remove the form sender restriction it works (but it's an open relay then, right?)

The only system that I have seen work properly, for *whatever* reason are forms made with Front Page. Probably because there is no security.

Anyone have any ideas or work arounds?

I have tried matts Form mail, BNBMail, Jack's PHP and many others.

Help.

Pete

claus

12:57 am on Oct 8, 2003 (gmt 0)

It's probably because the NIS does not send a referrer string. For some reason, some of these "security" products don't do that. You don't want to open your mailscript to the world just because a NIS-user can't send you mail. In stead you can capture the event "Referrer = blank" and display a nice page telling them to use other security software if they want to send you mail, as the software they're currently using is making the whole www more insecure.

/claus

anchordesk

3:22 am on Oct 8, 2003 (gmt 0)

Doesn't NIS have a training mode where you can specify when it is OK to have the referrer sent? I am not familiar with NIS, but do still use the original security product which Norton bought and folded into their package of products. It has training mode abilities. Still using it after 5 years and would not trade up for anything.

As for the Internet being less secure because of these 'security' products, from a socialistic point of view ... yes, but from a capitalistic viewpoint ... no.

claus

10:12 am on Oct 8, 2003 (gmt 0)

>> from a socialistic point of view ... yes, but from a capitalistic viewpoint ... no.

Sorry, i really don't understand what you mean by this? To me, the referrer string or security is nothing about politics. If i were to allow user agents with a blank referrer to send mail using a form on my site i would be compromizing security no matter what those people are voting for at elections.

/claus

percentages

11:14 am on Oct 8, 2003 (gmt 0)

Total Hosting,

The issue is that a spammer could use your formmail script to send email to other people correct?

Why not remove the form sender restriction and modify the formmail script so that the recipient is controlled internally?

In my HTML code I have the recipient email address set to yourbot@istodumbtofigurethisout.com or something similar that doesn't exist.

Then change the formail script to check the recipient address used and modify it to the correct one if valid (i.e. in this case if it equals yourbot@istodumbtofigurethisout.com).

If the recipient address is not what it should be, someone is attempting to use it to spam. In that case the script refuses to send the mail and displays an appropriate message.

In addition email address harvesting bots will pick up the invalid email address stated as the recipient in the HTML....stops a lot of spam!

The formmail script is unlikely to be used by a spammer as they will realise what you have done, and even if they don't it won't work for them.

claus

11:32 am on Oct 8, 2003 (gmt 0)

>> change the formail script to check the recipient address used

That's a good one ;) Personally i use one step less - i never include any email address in the html, not even a wrong one. Still, i check if the script is activated from the right page using the referrer info, and if it's not somebody is abusing the form (abuse includes using the right page without sending referrer info).

/claus