7 replies [Last post]
rmfred
rmfred's picture
Offline
Elder
Rock Springs, WY
Last seen: 3 years 15 weeks ago
Rock Springs, WY
Timezone: GMT-6
Joined: 2004-01-31
Posts: 1073
Points: 31

Since there are some VERY bright people on this forum I thought I'd ask a non css question... Smile

I am using a form for all email communications on a site.
Any email link just shows http://www.something.org/blah/testform.asp?mailtoid=x where x is a number. I'm getting the address to send the form to using cases... for example
<%dim whichEmail
whichEmail=CInt(Request.QueryString("MailToID"))
Select Case whichEmail

Case 1
MailToName="Jane Doe"
MailTo="[email protected]"

Is this a fairly secure way of handling email? Or can "bots" still harvest these?

safull
safull's picture
Offline
Regular
Madrid -Spain
Last seen: 18 years 21 weeks ago
Madrid -Spain
Timezone: GMT+1
Joined: 2003-08-27
Posts: 17
Points: 0

i find it secure

I'm not an expert. But i found that no bot can get the email. Since you don't display the email address to the general public.
The only way i can see that can be exploted is requesting the same URL a few times.
I hope more replies in this topic

DanA
DanA's picture
Offline
Elder
Last seen: 11 years 37 weeks ago
Timezone: GMT+2
Joined: 2004-08-14
Posts: 1087
Points: 2

Off topic - non css - Secure email

I'd say a robot won't grab the email but
a security question
are you sure no one can use your form/script to SPAM ?

rmfred
rmfred's picture
Offline
Elder
Rock Springs, WY
Last seen: 3 years 15 weeks ago
Rock Springs, WY
Timezone: GMT-6
Joined: 2004-01-31
Posts: 1073
Points: 31

DanA..

Quote:
I'd say a robot won't grab the email but
a security question
are you sure no one can use your form/script to SPAM ?

That is a question I can't answer... not quite sure what you are getting at? I guess someone could click an email link multiple times and repeatedly send mail to the person associated with that mailtoid...
however, I just noticed a flaw... if you type the url of
http://www.something.org/blah/testform.asp?mailtoid=x
and view source you are able to see the mailto name & address...
<input type="hidden" name="MailToName" size="20" value="somebody">
<input type="hidden" name="MailTo" size="20" value="[email protected]">
SO... what do I do now?

DanA
DanA's picture
Offline
Elder
Last seen: 11 years 37 weeks ago
Timezone: GMT+2
Joined: 2004-08-14
Posts: 1087
Points: 2

Off topic - non css - Secure email

Why do you send anything to the browser?
Your script just sends the mail, then redirects to another page.

Anyone can use your form and send its content from any server if you do not check the referrer or do not trace the origin of the $post .
a robot can easily do that testing id from one to 10000

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 2 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Off topic - non css - Secure email

HI rmfred,

I think it sounds as though the setup as it exists is likely to be insecure and the last thing you want is for spammers to find it and use it as a relay gets you in all sorts of bother.
A solution which I'm afraid contains a lot of 'ifs' is to use the secure nms-formmail script a secure version of the 'matts formail' the ifs are if your server has a cgi-bin and if your server is running perl and sendmail ( which any good Apache host will be ) then the formail script is a doddle to set up (has to be if I could get it to run first time Smile ) and allows you to configure aspects such as only allowing mail to be sent from a specific referer i.e your web site and to limit the recipients of mail and number of copies sent all things designed to prevent spamming.
If it sounds usefull post back and I will give you the details and a guide to set up, that my host provides , thinking about it PM me and I can attach the zip files.

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

rmfred
rmfred's picture
Offline
Elder
Rock Springs, WY
Last seen: 3 years 15 weeks ago
Rock Springs, WY
Timezone: GMT-6
Joined: 2004-01-31
Posts: 1073
Points: 31

Off topic - non css - Secure email

Ok... able to prevent the info from displaying to the browser by doing
<input type="hidden" name="MailTo" size="20" value="<%=MailToID%>">
which then displays to the browser this
<input type="hidden" name="MailTo" size="20" value="">

Quote:
A solution which I'm afraid contains a lot of 'ifs' is to use the secure nms-formmail script a secure version of the 'matts formail' the ifs are if your server has a cgi-bin and if your server is running perl and sendmail ( which any good Apache host will be )

Server does not conform to the above... using ASPMAIL, however, all email scripts run thru scriptmail.intermedia.net
1. SMTP Server scriptmail.intermedia.net is setup to handle email
messages sent from Web Sites, with a limit of 3000 messages per hour per
mailbox. This limit is higher than the previous limit.
2. We are removing the ability to relay through mail.yourdomain.name,
even from Intermedia.NET web servers. Mail.yourdomain.name will require
the use of authenticated SMTP no matter where the sender is located.
You will not be able to send mail from your web server unless you change
the mail server in your scripts to scriptmail.intermedia.net.
3. SMTP Servers mail.yourdomain.name will now be configured to allow a
maximum of 200 outbound messages per hour per mailbox limit, which
should be sufficient for sending messages from mail clients.

DanA
DanA's picture
Offline
Elder
Last seen: 11 years 37 weeks ago
Timezone: GMT+2
Joined: 2004-08-14
Posts: 1087
Points: 2

Off topic - non css - Secure email

Sounds better
You can also try an offline browser such as Httrack to see what a good robot can see