Canuckkev
July 1st, 2002, 18:41
Okay, I'm sure it's been done before, but a service where people sign up with their email address, and when they want to give it out, the just link to http://domain.com/antispam.php?id=3423 and that will present the visitor with a formmail to fill out and the script will send it to the email address that links up with the id.
So, sound useful?
Obviously, this service would be abused if it were so simple. So I have thought of a few security measures.
-ID's would not auto-increment, instead a random number between 1 and 5 would be added. Anyone visiting an invalid id link would have their IP added to an abuse table in the DB. Therefore, if a spambot attempts to get email addresses, the IP would be recorded many times.
-Having a generated image appear on the page, and before sending the user would have to type the numbers into the box.
-Having another variable in the query string, an "auth" number. This number would be chosen by the user signed up, and they would link http://domain.com/antispam.php?id=4435&auth=34334 . If the auth is incorrect, again the IP would be recorded.
-Only allowing 1 message an hour (or something like that) from each IP.
-Also, checking for the same root of the abusive IP's that day. For example, if 123.321.555.666 was added the DB, as well as 123.321.444.555, all traffic from 123.321.*.* would be cancelled for that day.
-Recording average traffic over a period of time, and if the traffic jumps at any particular time a significant amount, cancelling the script execution until requests die down.
-If all else fails, renaming the send script every hour.
If you have any other suggestions, they would be MUCH appreciated.
So, sound useful?
Obviously, this service would be abused if it were so simple. So I have thought of a few security measures.
-ID's would not auto-increment, instead a random number between 1 and 5 would be added. Anyone visiting an invalid id link would have their IP added to an abuse table in the DB. Therefore, if a spambot attempts to get email addresses, the IP would be recorded many times.
-Having a generated image appear on the page, and before sending the user would have to type the numbers into the box.
-Having another variable in the query string, an "auth" number. This number would be chosen by the user signed up, and they would link http://domain.com/antispam.php?id=4435&auth=34334 . If the auth is incorrect, again the IP would be recorded.
-Only allowing 1 message an hour (or something like that) from each IP.
-Also, checking for the same root of the abusive IP's that day. For example, if 123.321.555.666 was added the DB, as well as 123.321.444.555, all traffic from 123.321.*.* would be cancelled for that day.
-Recording average traffic over a period of time, and if the traffic jumps at any particular time a significant amount, cancelling the script execution until requests die down.
-If all else fails, renaming the send script every hour.
If you have any other suggestions, they would be MUCH appreciated.