Alan Storm is a human being living in Portland, OR by way of Seattle, WA by way of Portland, OR by way of Rochester, NY. He likes making websites, and talks about that here.
He also likes to make things on the web. If you need something made on the web, drop him a line.
We're a little worried about his penchant for slipping into the third person narrative form.
This is a response I sent on the WebDesign-L mailing list in repsonse to a question about email form security. I reposting it here since, you know, “The Busy”.
Referrer checking is the wrong to go about this. Referrer’s can be trivially faked and will only protect you from the most amateurish of spammers. Also, referrer’s aren’t reliably sent with all browser requests. You won’t be protecting yourself and you will be frustrating legitimate users.
Some things to do with any form that sends email
Don’t send commands directly to the MTA (aka. sendmail). You aren’t that smart (neither am I). Your scripting/programming language of choice should have a layer built on top of this. For example, the mail() function in PHP
VALIDATE any user input that’s going to be sent in in a header or used as a “To”. Remove all carriage returns (\r), newlines (\n) and commas or a spammer can set their own headers (think Bcc: [lots of addresses here]) or add additional addresses (the comma)
LIMIT how much input a user can set. A spammer is only going to use your form if they can find a way to insert their message into it. Ideally, all a user should enter is their name and address, with the URL being sent along as a hidden field. This URL should then be validated on the back end, ideally against a list of “allowed” URLs. If that’s not feasible then some kind of string comparison looking for a single URL with the proper domain. A regular expression like this is a good start
/^http://www.example.com/articles/[ ^:]+/i
If you must allow the sender to include a little message along with the URL, at minimum strip it of all HTML and domain names.
MONITOR the responses. If your privacy policy allows for it, log everything to a database and/or learn how to read your server log files.
Have an alert automatically sent to you if there’s any kind of suspicious activity. (more than one message a day sent to the same address, more than one response a day from the same IP, a large spike in responses, etc.). These actions may be legitimate, or may be the work or a spammer. Check your logged information and take appropriate action if need be.
Consider a challenge/response CAPTCHA
Keep in mind this is a significant accessibility barrier. CAPTCHAs will also significantly reduce the number of responses you get, even from people without special access requirements.