The other thing I'm thinking is, I have my own email address hard-coded into the script. The script sends the message to my hard-coded address and to the person filling out the form, like so:
$recipient = 'myaddress@mydomain.com, ' . $form{'visitorsAddress'};
I'm thinking that this means that if a spammer hijacks my script, then at least I'll know about it because I'll get the spam messages along with the people being spammed, and then I can take defensive action. But I'm not 100% sure that this is the case, because I know little about Perl security. I asked my webhost about this but they said it's beyond their scope of support and said I should look around the Internet, so here I am. (I checked Google but didn't find anything there.)
So am I right, will I know if a spammer hijacks my script by virtue of my hard-coded address, or can they send out spam with my script without my knowing about it?
Thanks,
-MBJ-
Generally, hardcoding the recipient address in the script is the best way to go. If all of the possibilities are from the same domain, you could do a regexp on it to make sure it's valid, but accepting anything from the net is asking for trouble.
Sean
[edit]<embarassed>Now that I have re-read digitalv's post, I see that the confirmation aspect was also there</embarassed>[/edit]
Not sure if that's of any use to you - might be worth a look!
R.
It was basically just a box where you entered your friend's email address, and when you hit the button it opened your own default mail client (mailto:) with the e-mail address they typed in and the subject and URL already filled out.
So basically they were sending an e-mail to their friend from their OWN default mail client. The string was something like this:
<form method="post" action="mailto:whatevertheytypedinthefield?subject=The Page&Body=I thought you would be interested in [whatever"...]
I'm not a Javascript guy so I don't exactly remember how this was done, but somehow they got whatever they typed in the text field into the mailto:line, and also used javascript to determine the current page. Was a while ago I noticed it, just thought it was kinda neat maybe someone else who knows more about JS can better explain what I'm trying to say :p
Don't send a copy to the person who filled out the form - they know what they typed.
Whoa, that's a pretty user-hostile attitude. Let me give you several reasons why someone might want a copy of their message:
(1) A written record, in general. Many users, myself included, like to keep a record of their outgoing messages. That's why we have a Sent Mail folder. Are you telling me that you have your mail client set to not save any of your Sent Messages? If so, do you think you're typical?
(2) The ability to reference exactly what was said. If the form is to document a complaint, or the sender thinks they might have some other need to prove what was said, they'll want a copy for their records.
(3) Proof that the message was sent. I send and receive dozens of messages a day. I can't always remember whether I actually filled out a form on a website or whether I just thought about it. Getting my copy of the message leaves no doubt.
(4) A reminder to follow-up if I don't receive a response. I work from my In Box. I take action on the items that are in it. If there's not a message about something I'm supposed to do I often won't remember to do so. But if I have a copy of a form message there, then 2-3 days later if I haven't received a reply I have a reminder that I need to take action (take it up with the addressee, or select another company to deal with).
Of course, as they say, the proof of the pudding is in the eating:
(A) Since I installed the cc: option on the form I'm using, nearly 100% of users elect to get a copy of the message. Clearly they want it.
(B) When I was investigating various methods of keeping spambots from harvesting email addresses from web pages, I polled a large body of users as to which of the various methods they preferred, since they all had downsides. The #1 reason given for not wanting a web-based form was that the sender wouldn't have a copy of the message.
Now, getting back to the other topics mentioned above....
* Using third-party formmail isn't exactly ideal because my scripts need to do quite a bit more than just send a message.
* Someone asked how I'm sending the message. this is what I'm doing:
$recipient = 'myHardCodedAddress@domain.com, ' . $form{'recipient'};
open (MAIL, "¦/usr/sbin/sendmail -t");
print MAIL "To: $recipient\n";
* On using mailto: to send a "Send this page to a friend" link, it's a good idea, but it doesn't work for the huge population that uses web-based mail instead of a client.
My original question was whether hard-coding my email address into the script meant that I would definitely know whether the script was exploited, because I'd then get a copy of the spam. In the absence of anyone saying anything to the contrary, I guess I'll assume that this is the case.
Thanks, -MBJ-
I took your question a bit more generally, namely how to prevent your scripts from being exploited.
In this case, you're using sendmail -t meaning it'll pick up headers from the message itself. I've seen some interesting attacks where other fields were used to send out email. Thus, something like
From: $fromaddy
To: $toaddy
Subject: $subjectHello
has been exploited by submitting $from as "foo\rTo:email1@example.com,email2@example.com,...."
meaning that an extra To: line goes in there. While you'll get one copy of the email, the damage has already been done.
Just make sure to check your input ;)
Sean
Thanks for the tip about spammers stuffing the <From:> header with a <To:> header. It seems like that would be pretty easy to kill:
if ($from =~/To:¦TO:/) [abort abort abort!]
Yes?
