Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Email spam - possible problem.

Hi Lucas,

Thanks for the input on this. I was wondering if I was getting a little carried away. I would think that incrementing a counter in the session, "since the id is tied to the session" makes a good amount of sense. And I wouldn't think I would need to worry about IP tracking that way. I would think that about 10, maybe 5 (conservatively) would be enough to keep the temptation of spamming to a minimum.

Mark

--------------------

On Nov 24, 2006, at 4:54 PM, Lucas Holt wrote:


On Nov 24, 2006, at 6:04 PM, Mark Wheeler wrote:

Hi Errol,

Yeah, I forgot to put that in the email. After the email gets sent, I did exactly as you stated about unsetting the session variable. The problem that I come up against is that if the spammer loads up the form into a browser window, look at the source code, find the input tag with the token value, plug it into his script and he can get through. Here's what I mean.

1. Spammer loads up my form.
2. Looks at source to get the hidden input tag with the token value in it.
3. Copy and pastes that input tag into his spam script.
4. Opens a new browser window and runs his script.
5. Mail goes through because the token is correct and the session variable is still active.

Does that make sense? Am I over-thinking this?

Mark


You are a bit.  Sending one e-mail at a time isn't helpful to a spammer.  In order to use your script, they would need to fetch the page, get the code and then using the same session (so same cookie in the same browser), execute a post with the form data.  You've already raised the bar for using your site.  If you want to go a step further, you could limit the number of requests to the same page from the same ip in a given time interval.  You could do this by keeping track of the ips or even incrementing a counter in the session since the id is tied to the session.  Remember that multiple users behind the same proxy server or using NAT would not be able to hit your site so make this number fairly large like say 30 in 5 minutes or so.  


Lucas Holt
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)
FoolishGames.net (Enemy Territory site)

 


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Web-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/web-dev/email@hidden

This email sent to email@hidden
References: 
 >Email spam - possible problem. (From: Mark Wheeler <email@hidden>)
 >Re: Email spam - possible problem. (From: Errol Sayre <email@hidden>)
 >Re: Email spam - possible problem. (From: Mark Wheeler <email@hidden>)
 >Re: Email spam - possible problem. (From: Errol Sayre <email@hidden>)
 >Re: Email spam - possible problem. (From: Mark Wheeler <email@hidden>)
 >Re: Email spam - possible problem. (From: Lucas Holt <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.