[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Website locked

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Website locked
From: Martijn Grooten <sweetwatergeek@xxxxxxxxxxxxxx>
Date: Sun, 18 Apr 2010 20:49:10 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:received:message-id:subject:to:content-type; bh=DEWwugp5xP9nGbbGYbvtL3S/43itV6LrLH1wpY6SJpY=; b=pWINXVDjA8G/TA3MVfQohXfwp/B1SilS2tEQLSRx20vwBmMmzZDMqdu8dTf+i5/s1i Etw4WKk3FzIpXLNhKUsYOkvGdd+KC0GKe0Yorqq0Q6WIVNm63ZkyQaisLR8zF3k6JHLQ EYSy6PTlzFmZAmqALk2xYHo6YYtph6/UYVs/k=

On Sun, Apr 18, 2010 at 5:25 PM, Simon Waters wrote:
> Form variable names are no protection if one of them works as an email
> address, your bot would just work through permutations till one of them
> delivers an email to you. At which point you know you have an
> exploitable form and could take the time to look at it manually.

If your system is capable of sending email to random addresses on the
internet and if it can do so more than a handful number of times a
day, you can be fairly certain people are going to try to abuse it for
sending spam. I saw a recent example of a tell-a-friend system where
there was no (low) limit to the number of characters the "sender"'s
name could have and thus 419-scammers put their full message in there.
Spam sent from a reputable system with part of the message
"legitimate" is going to have a fairly high success rate. (And their
success rate would probably have been even higher had they not written
their entire message in capitals.)

But the problem with the DCGLUG website wasn't about "people" abusing
its capability of sending email (which I don't think it has), but
about adding spammy content to the site, right? In my experience, this
happens a lot more automated with a lot less human intervention. (And
given that the DCGLUG site isn't exactly the most popular place on the
web, any kind of human intervention would probably make it not worth
it.) In such cases, anything that's not too generic will probably keep
a large portion of spammers away, from making the user do a very
simple calculation, to adding a CSS-hidden field called "website" to
the HTML and only process the form if that field is empty. (Or if you
do want to have a website-field, call it "email" and call the one
where users fill in their email address "website".)

(These are musings on website-security in general and don't
necessarily mean I suggest something like this should be done. In
fact, I quite like the idea of requiring something to having posted n
messages to the list before they can properly register on the site.)

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

References:
- [LUG] Website locked
  - From: Neil Williams
- Re: [LUG] Website locked
  - From: Gordon Henderson
- Re: [LUG] Website locked
  - From: Neil Williams
- Re: [LUG] Website locked
  - From: Gordon Henderson
- Re: [LUG] Website locked
  - From: Simon Waters

Prev by Date: Re: [LUG] OldTopic: Patients on the NHS Database
Next by Date: Re: [LUG] OT: Wire-free power
Previous by thread: Re: [LUG] Website locked
Next by thread: [LUG] A film on software patents
Index(es):
- Date
- Thread