Software

Lock IT Down: Stop the use of Web forms to send junk e-mail

Use these techniques to help stop junk e-mail.

Unsolicited commercial e-mail (UCE) is not only annoying, it's also a huge drain on time and resources. However, it's become painfully obvious that thwarting the efforts of junk e-mailers isn't easy.

Government's involvement in the solution
Although antijunk e-mail legislation has been proposed in the United States, the efforts would not address junk e-mail originating from e-mail systems located outside the United States or the misuse of open SMTP relays. Legislation, no matter what form it takes, won’t do anything to prevent foreign e-mail servers from flooding your inbox with junk.

So unfortunately, while the U.S. Congress and other branches of government are attempting to suppress the actions of spammers, junk e-mail continues to roll in. (For more information about antijunk e-mail legislation, read CNET’s report: "Congress, critics wrinkle noses at spam bills".)

What can you do?
Despite the fact that it's virtually impossible to filter out all junk e-mail, some of the "junk e-mail policing" systems used on the Internet are doing a good job exposing the problem of unsolicited commercial e-mail. The simplest way to stop most spam is by blocking inbound Simple Mail Transfer Protocol (SMTP) using the lists compiled by Mail Abuse Prevention System (MAPS)—just keep in mind that this service isn’t perfect.

Fortunately, almost all Internet service providers (ISPs) have a policy against unsolicited commercial e-mail to which their users agree. Yet when rogue ISPs block the MAPS relay test scanner, the effectiveness of both systems is limited. What's really discouraging is that as soon as a company secures an open SMTP relay or an ISP shuts down an account for a violation of their acceptable usage policy, the junk e-mailer is at it again launching his spam from another ISP.

Want more on Internet security?
Subscribe now to our Internet Security Focus TechMail to receive news in your inbox.

Recently there's been an increase in reports of Web-site forms that send e-mail that are being abused by spammers. There are actually hundreds of scripts for sending e-mail from a form; a common one is a Perl CGI script called "FormMail." It's trivial to construct a forged HTTP form to send to this program once someone knows it's running. Any script that allows people to set the e-mail's destination address and type comments can be abused. And contrary to what most people believe, securing mail forms using "referrer checking" isn't effective because the "referrer" header in an HTTP request can be forged.

If you have a form that allows the entry of an e-mail address and comments, make sure the "To" field cannot be set using the form itself. Also, if your form script sends a confirmation e-mail, anyone can insert an e-mail address and comments, making it look as if it came from your site. It's not technically difficult to resolve this problem: Simply omit the comments from the confirmation e-mail. Tens of thousands of Web sites are vulnerable because of this issue alone.

Limit access
This cat and mouse game with junk e-mailers has gone on for years, and the end doesn't appear to be in sight. Do I foresee a time when spam is completely obliterated? Unfortunately, I don't.

Right now, the best defense you have is to limit the possible ways junk e-mailers can send you their trash. That means that using simple Web-to-e-mail scripts to process forms on Web sites probably isn't a good idea, lest they be abused.

What should be done?
What do you think should be done to stop junk e-mailers? Do you think more legislation would help? Or should the solution be left to the IT community? Post your thoughts below.

 
0 comments

Editor's Picks