Forum Moderators: phranque
With all hosts that i have encountered along with your account you receive free aliases that are forwarded to the email address you signed up with.
Doesn't that mean that nearly every domain name owner can easily be emailed to. www.mysite.com will probably send an email to the owner at whoever@mysite.com. How can this be combatted?
Sort of related:(security)
It is said that all directories should have an index.htm file to prevent the listing of the directory itself. True? If so what would you put in the index.htm for say an images directory. Would you create a permission denied page?
Thanks,
Tom
Upgrade to Formail v1.91 [scriptarchive.com] which has the latest security patches.
> ...hosts that i have encountered... aliases that are forwarded to the email address you signed up with... How can this be combatted?
Well, probably only virtual hosting. Many hosting services allow you to configure alternate destinations for various aliases. You could always send unwanted addresses to a mail dump or web-based free account configured to trash all mail from anyone not in that address book. However, you might be throwing out a baby with that bathwater.
> ...directories should have an index.htm file... for say an images directory. Would you create a permission denied page?
That would work fine.
Just a side note. Instead of removing the addresses maybe try Unicode. I hesitate to drop a URL of an oline generator here. However the person who's site I use is a member here. Once I did this spam dropped heavily but still gave customers a way of contacting the different people in our org.. I guess a contact form would have worked also ;).
Sort of relatedsecurity)
It is said that all directories should have an index.htm file to prevent the listing of the directory itself. True?
Nope, I think on this you might want to disable "directory browseing" at the server level. Might be a CP option if not call your host or admin..
Brian
Here's what I came up with for this purpose. If you can compile C for your server platform, then it might be useful for you as well:
/*
mlink.c
Convert e-mail address to html-encoded link. If additional arguments
are given, use those as link text, otherwise use the encoded address.
If the encoded address gets longer than MAXLEN characters, which amounts
to an unencoded address length of MAXLEN/6 characters in the worst case,
then it is silently truncated (1024/6 ~= 170).
$> mlink mail@addre.ss
<a href="encoded-http:endoced-mail@addre.ss">endoced-mail@addre.ss</a>
$> mlink mail@addre.ss some more arguments
<a href="encoded-http:endoced-mail@addre.ss">some more arguments</a>
Invoking mlink per SSI like this
<!--#include virtual="/cgi-bin/mlink?mail@addre.ss some more"-->
will pack all of "mail@addre.ss some more" into the first argument,
which is correctly split at the first whitespace character encountered.
*/
#include <stdio.h>
#define MAXLEN 1024
int quote(char *cp, int c) {
if(32 < c && c < 123) {
return sprintf(cp, "&#%03d;", c);
}
return sprintf(cp, "%c", c);
}
int encode(char *os, char *is, int xl) {
int i = 0, j = 0;
char *c;
for (c = is; *c != '\0'; c++) {
if((j+6) >= xl) {
return -1;
}
if(isspace(*c)) {
return i;
}
j += quote(os+j, (int)*c);
i++;
}
return 0;
}
int main(int argc, char **argv) {
char m[MAXLEN];
int n, i;
m[0] = m[MAXLEN-1] = '\0'; /* paranoia */
if (argc < 2) {
fprintf(stderr, "%s: Not enough arguments.\n", argv[0]);
return -1;
}
n = encode((char*)&m, argv[1], sizeof(m));
printf("Content-Type: text/html\n\n");
printf("<a href=\"mailto:%s\">", m);
if (argc == 2) {
if (n > 0 && argv[1][n] != '\0' && argv[1][n+1] != '\0') {
printf("%s</a>", &(argv[1][n+1]));
} else {
printf("%s</a>", m);
}
} else {
printf(argv[2]);
for(i=3; i < argc; i++) {
printf(" %s", argv[i]);
}
printf("</a>");
}
return 0;
}
What this means is, that on a server that supports SSI, you don't need to hardcode the Unicode version in your pages. You can simply use this:
<!--#include virtual="/cgi-bin/mlink?john@example.com John Doe"-->
And it will get converted on the fly when the page is requested to:
<a href="mailto:john@ example.com">John Doe</a>
(inserted space to prevent excessive thread stretch)
I had the same thing in Python at first, but when called through SSI several times on the one page, the multiple startup times of the interpreter became noticeable. There's a version in PHP floating around here somewhere, which probably also eliminates this problem.
Of course, as always: use at your own risk.
what would you put in the index.htm for say an images directory. Would you create a permission denied page?
I did a littlelogon then list page, to diplay the image, name, and size, v.handy little script
... asp of course :)
The site I maintain is an online craftshow. With that I am exposing each vendors email address within their "booth". The thought is that in most cases the items are custom made and "Buy Now" buttons or shopping carts may look good but some communication is necessary before an order can be made.
Although formmail has the ability to handle the security problem it could convey the appearance of hiding the vendor's identity from the prospective buyer. Not a great way to gain trust.
Thank you for showing me that there are other alternatives.
I will study what you have suggested.
Again, thank you all for sharing.
<script type="text/javascript"><!-- Begin
user = "username"; site = "notspammeddomain.com"; document.write('<a href=\"mailto:' + user + '@' + site + '\">'); document.write('User Name' + '</a>');
// End --></script>
