| When you are creating or using CGI routines, you | | | | together in glee when theyfind sites which use |
| must be careful to keepgood coding techniques, | | | | FormMail with user-entered email addresses. |
| security and just plain common sense in mind. | | | | The spammer essentially "hijacks" the FormMail |
| Sometimes you can do things that cause serious | | | | CGI routine and causes it tosend out emails as |
| unexpected site effects. Infact, sometimes you | | | | fast and furiously as they can. I know of one |
| may think you are making your CGI routine | | | | instancewhere a spammer sent over one million |
| secure onlyto find out it just doesn't work like | | | | emails in a single day before someonenoticed that |
| you expected. | | | | their web server was going very slowly (I |
| A good example of a this phenomenon is a simple | | | | wonder how long itwould have taken had the |
| CGI routine called FormMail. | | | | spammer tried limiting the load on the server so |
| This was written a number of years ago by a | | | | itdidn't show up as much). |
| fellow named Matt Wright toallow data to be | | | | What happens here is very simple. The FormMail |
| entered in a form, then emailed to a recipient. | | | | CGI routine is simply calledremotely by the |
| I first looked at FormMail because I wanted to cut | | | | spammer, once for each spam email that he |
| down on spam. You see, myweb site had my | | | | wants to send. |
| email address embedded on every single page. I | | | | Ah, you say, but you could code the FormMail |
| thought thiswas a good idea to allow people to | | | | routine to check the referrerfield. This would |
| send me an email message when they wantedto | | | | surely prevent a spammer from using it remotely, |
| contact me. In fact, all of the web design books | | | | as hisreferrer would not be the website URL. |
| indicate that all goodweb sites include an email link | | | | Sorry, no. The referrer field is actually a text |
| of this kind. | | | | string passed to the CGIroutine by the browser. |
| I soon discovered, much to my horror, that | | | | The spammer is most likely using a program |
| spammers use special programscalled Spam | | | | whichappears, to your web site, to be just |
| Harvesters to scan websites for email addresses. | | | | another browser. Since the spammercontrols the |
| They add theseaddresses to their mailing lists and | | | | program he can code it to send the CGI routine |
| resell them over and over. The resultis a large | | | | whatever valuehe wants for the referrer field. |
| increase in the amount of spam that I received. | | | | As it turns out, it is very difficult to make a CGI |
| After much research, I came to the conclusion | | | | routine such as FormMaileven relatively secure, |
| that the best defense againstspam robots was to | | | | and it may be impossible to make it bullet-proof. |
| simply stop including my email address on my | | | | All you can do is check enough things and put in |
| web sites. | | | | delays here and there toslow down and |
| This left the question of how to allow users to | | | | discourage spammers. |
| contact me when they hadquestions or | | | | You could, for example, only allow one posting per |
| comments. | | | | IP address per hour. Youcould also check referrer |
| The answer is simple - use a form. The | | | | just to block out the more ignorant spammers. |
| advantage is that the email addressis hidden within | | | | Isuppose you could count the number of times |
| the CGI routine or a text file and it is simply | | | | the routine is called, and haveit just stop working |
| notpossible for a spam harvester to pick it up. As | | | | after a certain amount. For example, only allow |
| long as the email address iscoded into the CGI | | | | onehundred calls per day from anywhere. |
| routine or in a database you are relatively secure. | | | | The point here is not to tear apart the FormMail |
| However, many people use FormMail in a different | | | | routine. The goal is toshow how difficult it can be |
| way. Let's say you want toallow your visitors to | | | | to make anything secure on the internet, |
| "tell a friend" about your site. So you include | | | | anddemonstrate that some assumptions (that the |
| aform which allows visitors to enter their | | | | referrer field is a valid check)may not be true in |
| message and a target emailaddress. If you are | | | | all cases. |
| not very careful you could find that you have | | | | What do you do? Before you implement any CGI |
| setyourself up as a spam relay. | | | | or similar interface, be sureand do a little research |
| You see, spammers are always looking for ways | | | | to be sure you completely understand and |
| to hide their identity. Onecommon method is to | | | | handlethe ramifications. If you don't do this, you |
| search the internet for occurrences of FormMail. | | | | may find yourself the victim ofa hacker or |
| Sometimes I wonder if spammers rub their hands | | | | spammer. |