Results 1 to 10 of 11

Thread: required fields

Hybrid View

  1. #1
    Join Date
    Apr 2007
    Posts
    21

    Default required fields

    I use javascript to make my fields required. The script is visible and anyone can see it.
    I have seen worry posts from people suggesting to use ini files to make the fields requierd.

    I don't understand the problem to have such a script visible. If they don't know the recipients mailaddress why shuld I be worried ?

    Please help me to understand more about this.

    Andre

  2. #2
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    Spammers do 3 things:
    1. Harvest email addresses from HTML pages (especially forms). Hiding your email addresses with JavaScript doesn't work anymore. Hiding your email addresses with FormMail's AT_MANGLE can work fine, but it isn't perfect because a human being can usually figure out the AT_MANGE string (and, depending on what your AT_MANGLE is, this *might* be possible automatically).
    2. Try to send email to anyone in the world via your FormMail script. They are now attempting this by interpreting your HTML form. Tectite FormMail is completely invulnerable to this if you set $TARGET_EMAIL correctly. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.
    3. Try to send you, the website owner, spam using your FormMail script. They'll bypass the JavaScript to achieve this. JavaScript does not protect you.
    The INI file means the spammer cannot bypass any rules you set and it means you can protect your email addresses 100%.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  3. #3
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi !
    Thank you for a quick answer.

    I don't protect my email address with javascript. I use ini-file and I keep it safe.
    I use javascript only to make some fileds required.

    To become a spam gateway is I think another case.But I use CAPTCHA to reduce the risks.
    Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form. In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?

    Your Sincerely
    Andre
    Last edited by A77; 29-Apr-2007 at 11:02 PM.

  4. #4
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    To become a spam gateway is I think another case.
    That's my #2 case above.

    Captcha for autoresponding is a requirement to prevent this too.

    Captcha for normal form submissions just protects you from spam.

    Tectite FormMail cannot be used as a spam gateway if you set $TARGET_EMAIL properly, unless you also configure the autoresponder feature (and the captcha is designed to protect you with that).

    Waht I ment was why shuld I be worried if people can see my code making my fileds required.Seriously users will fill the required fields and I will get the data when they submit the form.
    You don't need to hide required fields from normal users. They don't try to break your form validations.

    Spammers trying to send you spam will often try to bypass your required fields. Required fields in the INI file cannot be bypassed. That's all.

    In other case I will not receive anything because they don't know my E-mail receiving the form result. Do I miss something or what?
    They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

    So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  5. #5
    Join Date
    Apr 2007
    Posts
    21

    Default Re: required fields

    Hi again Mr Robinsson.
    This is very important things you lern me and other users shuld read this too.
    Quote Originally Posted by russellr

    Spammers trying to send you spam will often try to bypass your required fields.

    They can't see your email address, but they can fake a form submission that looks exactly like your form to FormMail.

    So, the "recipients" will be specified (that is, you) and what's protecting you from that spam is your field validations (in the INI file) and FormMail's builtin attack detection.
    What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?

    Your Sincerely
    Andre

  6. #6
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: required fields

    Hi,

    What I understand from this is that spammers can send ME spam even if they don't see my E-mail address which I have into INI file. How can the recipients be specified ?
    They just copy all the fields from your HTML form and try to fake the data entry fields.

    Whether the recipients are specified in the HTML or in the INI file, doesn't matter. Either way FormMail cannot tell the difference between a real form and a faked submission.

    Except, of course, FormMail runs validations (which you can keep secret in your INI file) and looks for attacks. You should review the attack detection settings starting here. Especially, ATTACK_DETECTION_MANY_URLS and ATTACK_DETECTION_MANY_URL_FIELDS.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Required fields containing default text
    By tvulucy in forum FormMail Subscription Support
    Replies: 9
    Last Post: 08-Oct-2004, 09:26 PM
  2. Required Fields not working?
    By zoe77 in forum FormMail Subscription Support
    Replies: 2
    Last Post: 02-Jun-2004, 04:27 PM
  3. Deriving fields from other fields
    By russellr in forum HOWTO Guides and Tips
    Replies: 0
    Last Post: 13-May-2004, 12:25 PM
  4. required field error
    By Ibis in forum FormMail Subscription Support
    Replies: 18
    Last Post: 02-Mar-2004, 09:04 AM
  5. required does not work ?!
    By flynst4r in forum FormMail Subscription Support
    Replies: 9
    Last Post: 26-Jan-2004, 09:04 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •