Quote:
if you only want to support email to a small list of email addresses, then hardcode those in your script on the server side. If the web form mentions any address that's not in your list, ignore the user input and send it to a default address.
Dan, it's not the email address who the message is to, but the email address who it is from that is usually the problem. Because the headers are modified to make it look like the message has come directly from that email address, rather than the web server, spammers often use it to inject additional headers into the message.
Also, re: Step 1, the last regex in my tests does just that for email addresses. I can't take credit for coming up with it, but it will supposedly only allow RFC 2822 compliant addresses.
Bruno, you may want to check for the "Mime-Version: " and "Content-type: " keywords as well, since they are clear indications that someone is trying to use your script for spam. They should not be present in any legitimate message that's entered into your form.
_________________________
~ John
Previous Topic
Index
