alternatives to HTTP_REFERER?

abx_2112

Hi,

I have been searching information on this topic but I have not been able to find an appropiate solution.

I have a contact form that sends an e-mail to the people responsible for a certain part of the site (which is to be selected and sent in the form). The code reduces to the mail() function of PHP.

mail ( $to, $subject, $body, "From:$from\nReply-To:$from"  );

The problem is that I dont want anyone using this page for spamming, so the first thing that came to my mind is to check who's requesting this page. I do that this way.

$pos = strpos ( HTTP_REFERER, "http://mydomain.com");
if ($pos === false || $pos != 0 ) { // must use three equal signs
	// error handling here
	} // if

Users may or may not be registered, but I suppose one could set a session var to check if the request fot the mailing script is comming from the server. Is that secure enough? what other considarations am I missing?

I know this discussion is not new but i wanted to see if there's some fresh thoughts about the topic.

Thanks in advance,
abx_

sglane

Good idea on the referer, but not quite. If I were attmpt to exploit this, I would try with a referer of: "your domain here" and also try without a referer. One way or the other, this would bypass the referer check. That is easy enough to get around.

One thing you could try would be to set up htaccess directory protection in apache and give the users the user/password. Have a page with the user/pass combination, and right below have a link to the "htaccess protected directory" with the index file as the mailing file. Then again, if I were going to exploit this, I would have the user/pass and send it in with my request string.

You can spoof the session variable, referer, user-agent, etc pretty easily. In all honesty, I have never been able to think of a way to have a form mail without it bing exploitable. Even if you make people login, and let only those logged in use the form, it can be still bypassed.

This probably didn't help, but I tried. Food for thought. Please let me know what you decide to do. I would really like a good way to do this.