cgi security

[Sheila King]

On Wed, 4 Apr 2001 19:16:11 +0200, spamdropbox at myrealbox.com (Walter Hofmann)
wrote in comp.lang.python in article
<slrn9cmlmr.kj1.spamdropbox at frodo.uni-erlangen.de>:

:On Wed, 04 Apr 2001 06:16:53 GMT, Sheila King <sheila at spamcop.net> wrote:
:>
:>I'm writing a form-mail script, and I have two questions right now:
:
:There is a script called "formmail" in wide use, which seems to do
:approximately what you are trying to achive.

I'm aware of the formmail script. I'm not trying to copy that one. I'm trying
to emulate cgiemail, but add features, better error-handling and error
messages, and ability to do a variety of "success" pages. The main difference
between formmail and cgiemail, is that the emails are very nicely formatted,
accoring to a template textfile.
http://web.mit.edu/wwwdev/cgiemail/

cgiemail's source is available, but it is in C, and there are many files. My
script is much shorter. (And although I've run Perl scripts, I really don't
like putting up scripts that I don't understand and can't read the code easily
myself.)

:Unfortunately, it is currently abused by spammers to send large amounts
:of unsolicited email. That's because it accepts any email address it is
:given. Spammers fake forms which will mail their spam via these scripts.

Yes, someone pointed out this discussion, on a BBS that I frequently read:
http://www.securityfocus.com/frames/?content=/templates/archive.pike
%3Flist%3D1%26tid%3D168177%26fro-mthread%3D0%26start%3D2001-03-04%26threads%3D1%26end%3D2001-03-10%26

(URL above is folded. Unfold to paste into your browser.)

:Basically the only way to prevent this is to have a list of allowed
:email addresses in the script (or hardcode a single email address). 
:However, this means that for every new user you'd have to add their
:email to the list before they can use your script.

I'm really trying for something much more flexible, with input checking.

Thanks,

--
Sheila King
http://www.thinkspot.net/sheila/
http://www.k12groups.org/