[BBLISA] spam & autoresponse webforms

David Cogley cogley at gibraltar.basespace.net
Thu Mar 11 11:28:47 EST 2004 

Hello, 

Most of the time, I lurk.  Now I have a question.  A reply to my questions 
or a referral to a more appropriate list would be appreciated. 

At the request of our CEO, I set up a web form which is processed by a cgi 
script so that it logs to a file and then sends an autoresponse to the email 
address entered on the web form.  Last night, someone downloaded my web 
form, modified it and used the modified version to POST, thereby spamming 
one person 3 times in quick succession.  This got our domain placed on a 
spam list.  One of our outgoing emails was bounced this morning. 

I am running perl in taint mode, so all of the nasty characters entered on 
the web form were scrubbed out.  Looking at our logs, I cannot see that our 
server was compromised.  The person looking for an open relay did not find 
one.  I have turned off the autoresponse feature of the cgi script. 

Even with an autoresponder in place, it is possible to prevent bulk spammers 
from sending out large messages through a server.  I can do this by using 
the cgi script to truncate all of the web form values to just enough 
characters to suit the purposes of the web form.  However, someone can still 
send unwanted emails to anyone they list in the email address box on the web 
form. 

I don't see how I can easily prevent unwanted emails being sent from a web 
form.  There must be a way since I see so many web forms which send 
autoresponses.  I have a vague sense that I could do a reverse DNS lookup on 
the IP address that is accessing the web page and then only autorespond if 
the browser access and the email address match.  However, that would prevent 
someone from filling out a web form at home and asking for the response to 
be sent to a work email address. 

As far as I can tell, anyone visiting a web page can fill in someone else's 
email address.  I conclude that a web form autoresponder is always likely to 
get one's domain added to a spam list, eventually.  Getting off a spam list 
is time consuming. 

Any thoughts? 

Thank you!
David Cogley

More information about the bblisa mailing list