One of my accounts was suspended beucase some one used my tell a friend script to spam 4000 AOL emails. I need a secure tell a friend script anyone know a good one? Maybe Cgi is better ? I saw some where that you can block the same IP from comming to many times to the website? Should i use this as well? Does a Catcha check help? Does anyone have a script for that?] How do stop people for abusing your tell a friend scripts? I stoped the script from working but u can still see them on chatthailand.com How can they send emails from this i mean there is no option to put in your own text and even so there was there text in the email not mine
I suggest record the IP of the person who use your form, and limit to 5 send per day only per IP this will not stop spamming but it will help to minimized. I am sure they use script to send those 4000 emails. You can set your server also to not allowed hot linking.
Please make sure that there is sanity checking on the variables to ensure they're from your form and not just injected/posted. What can i do to stop that?
It almost seems there is no way to absolutely guarantee any type of online form/script will not be abused. Your experience, however, underscores the danger of assuming someone else's work is secure. I am sure there are several free scripts out there which were put there by the "black hats" in the hope webmasters who use them would not bother trying to understand the code. Captcha's will defeat most robots. Unfortunately, in my experience, inserting captchas into existing scripts is harder than it ought to be. I understand why "tell a friend" scripts are interesting. But, there needs to be real controls on their use. If you are using PHP, borrow a feather from the cap of Mambo and similar systems and create a varible which must be set before the script will work. For instance: In pages which would call the script insert something like: define( '_VALID_SECRET_WORD', 1 ); At the top of the "tell a freind" script put something like: <?php defined( '_VALID_SECRET_WORD' ) or die( 'Direct Access to this location is not allowed.' ); ?> This will prevent people from calling the script remotely. In the email address for the friend make sure only one email address is entered. DUMP all others. Make sure the sender cannot add their own message. Make sure the message sent is your's and your's alone . . . though you should say this site was recommended by your friend, "Mr. X". Change Mr. X to the name of the person. The form which is clicked should contain no hidden variables beyond something only intelligible to yourself and tour system. Spammers will try to manipulate those to see if they get a different result. Make sure you validate the submitter's email address and that neither their name nor the email address point to a known spam type domain. I am sure there are many, many more things which could be done to make it more secure. Track down discussions about security and "tell a friend" scripts. There are bound to be some, with even more and better suggestions.
My Host told me to do this does anyone have the PHP code for this To block so you can only post one time per IP It would be the REMOTE_ADDR environment for the IP. You could store it in a flat file/database or an mysql database, etc. It might not be needed--that is just a suggestion to prevent multiple submissions if one didn't accept the cookie or deleted it right after, which is pretty simple to do. I have a cookie protect but they can easy delete the cookie does anyone have a code for only take clean Cookies? You could even force the submitter to have the valid, and recent cookie
ehm.. may be you need to do some checking in your script.. the user can change the header.. and post it from ur script..
One issue I had to protect all my sites from is the Contact Us Form Hijacking. Essentially, by sending form variables with specific Email Header content, they can have it look like an email from them, to whoever, with their own content in the email (thanks to bloody multi-part). So - I always strip any Email headers from all contact forms before sending email and DB Dumping. If any form's do have Email Header content in them - have it send to you instead of whoever it is supposed to be sent to - so you can track the IP of who is sending and when it is sent. They are usually sent to in the BCC but this technique tells you who it supposed to get the email