Article Read. You Can Find All Kind of Articles

Home | Search Article

Search

-- All Categories --Auto and TrucksEducationFamilyFood and DrinkGadgets and GizmosHealthHobbiesHome ImprovementKids and TeensLegal MattersParentingPets and AnimalsRecreation and SportsSite PromotionTravel and LeisureWeb DevelopmentWomenWriting
Advanced Search

• Auto and Trucks
• Education
• Family
• Food and Drink
• Gadgets and Gizmos
• Health
• Hobbies
• Home Improvement
• Kids and Teens
• Legal Matters
• Parenting
• Pets and Animals
• Recreation and Sports
• Site Promotion
• Travel and Leisure
• Web Development
• Women
• Writing

---

When you are creating or using CGI routines, you must be careful to keepgood coding techniques, security and just plain common sense in mind.Sometimes you can do things that cause serious unexpected site effects. Infact, sometimes you may think you are making your CGI routine secure onlyto find out it just doesnt work like you expected.A good example of a this phenomenon is a simple CGI routine called FormMail.This was written a number of years ago by a fellow named Matt Wright toallow data to be entered in a form, then emailed to a recipient.I first looked at FormMail because I wanted to cut down on spam. You see, myweb site had my email address embedded on every single page. I thought thiswas a good idea to allow people to send me an email message when they wantedto contact me. In fact, all of the web design books indicate that all goodweb sites include an email link of this kind.I soon discovered, much to my horror, that spammers use special programscalled Spam Harvesters to scan websites for email addresses. They add theseaddresses to their mailing lists and resell them over and over. The resultis a large increase in the amount of spam that I received.After much research, I came to the conclusion that the best defense againstspam robots was to simply stop including my email address on my web sites.This left the question of how to allow users to contact me when they hadquestions or comments.The answer is simple - use a form. The advantage is that the email addressis hidden within the CGI routine or a text file and it is simply notpossible for a spam harvester to pick it up. As long as the email address iscoded into the CGI routine or in a database you are relatively secure.However, many people use FormMail in a different way. Lets say you want toallow your visitors to "tell a friend" about your site. So you include aform which allows visitors to enter their message and a target emailaddress. If you are not very careful you could find that you have setyourself up as a spam relay.You see, spammers are always looking for ways to hide their identity. Onecommon method is to search the internet for occurrences of FormMail.Sometimes I wonder if spammers rub their hands together in glee when theyfind sites which use FormMail with user-entered email addresses.The spammer essentially "hijacks" the FormMail CGI routine and causes it tosend out emails as fast and furiously as they can. I know of one instancewhere a spammer sent over one million emails in a single day before someonenoticed that their web server was going very slowly (I wonder how long itwould have taken had the spammer tried limiting the load on the server so itdidnt show up as much).What happens here is very simple. The FormMail CGI routine is simply calledremotely by the spammer, once for each spam email that he wants to send.Ah, you say, but you could code the FormMail routine to check the referrerfield. This would surely prevent a spammer from using it remotely, as hisreferrer would not be the website URL.Sorry, no. The referrer field is actually a text string passed to the CGIroutine by the browser. The spammer is most likely using a program whichappears, to your web site, to be just another browser. Since the spammercontrols the program he can code it to send the CGI routine whatever valuehe wants for the referrer field.As it turns out, it is very difficult to make a CGI routine such as FormMaileven relatively secure, and it may be impossible to make it bullet-proof.All you can do is check enough things and put in delays here and there toslow down and discourage spammers.You could, for example, only allow one posting per IP address per hour. Youcould also check referrer just to block out the more ignorant spammers. Isuppose you could count the number of times the routine is called, and haveit just stop working after a certain amount. For example, only allow onehundred calls per day from anywhere.The point here is not to tear apart the FormMail routine. The goal is toshow how difficult it can be to make anything secure on the internet, anddemonstrate that some assumptions (that the referrer field is a valid check)may not be true in all cases.What do you do? Before you implement any CGI or similar interface, be sureand do a little research to be sure you completely understand and handlethe ramifications. If you dont do this, you may find yourself the victim ofa hacker or spammer.

About the Author

Richard Lowe Jr. is the webmaster of Internet Tips And Secretsat http://www.internet-tips.net - Visit our website any time toread over 1,000 complete FREE articles about how to improve yourinternet profits, enjoyment and knowledge.