The first paragraph of this article provides a brief overview of the security issues that can arise when creating or using Common Gateway Interface (CGI) routines. It emphasizes the importance of good coding practices, security measures, and common sense to prevent serious unexpected site effects. The article also discusses the potential misuse of a simple CGI routine called FormMail and the challenges in making it secure.
When developing or utilizing CGI routines, it's crucial to maintain high-quality coding practices, prioritize security, and apply common sense. Sometimes, actions that seem harmless can lead to serious, unforeseen consequences. For instance, you might believe you're enhancing the security of your CGI routine, only to discover it doesn't function as anticipated.
FormMail, a simple CGI routine developed years ago by Matt Wright, serves as a prime example of this phenomenon. This routine allows data to be entered into a form and then emailed to a recipient. Initially, I considered FormMail as a solution to reduce spam. My website had my email address embedded on every page, which I thought would facilitate communication with visitors. However, I soon realized that spammers were using programs known as Spam Harvesters to scan websites for email addresses, leading to a significant increase in spam.
After extensive research, I concluded that the most effective defense against spam bots was to stop displaying my email address on my website. This decision raised the question of how to allow users to contact me. The solution was simple: use a form. The advantage of this approach is that the email address is hidden within the CGI routine or a text file, making it impossible for a spam harvester to detect it. As long as the email address is embedded in the CGI routine or a database, you are relatively secure.
However, FormMail can be misused. For instance, if you want to allow your visitors to "tell a friend" about your site, you might include a form that lets visitors enter their message and a target email address. If you're not careful, you could inadvertently become a spam relay. Spammers are always seeking ways to conceal their identity, and they often search the internet for instances of FormMail. If they find sites that use FormMail with user-entered email addresses, they can "hijack" the FormMail CGI routine and use it to send out emails rapidly and relentlessly.
Securing a CGI routine like FormMail is challenging, and it may be impossible to make it completely secure. You can implement measures to slow down and deter spammers, such as allowing only one posting per IP address per hour, checking the referrer to block more naive spammers, or limiting the number of times the routine can be called. However, these measures are not foolproof, and some assumptions, like the validity of the referrer field, may not hold true in all cases.
Before implementing any CGI or similar interface, it's essential to conduct thorough research to fully understand and manage the potential implications. Failing to do so could make you a target for hackers or spammers.
CGI Security is a complex field, and it's crucial to stay updated on the latest security practices to protect your website and users. Always remember that the internet is a dynamic environment, and what works today may not work tomorrow. Therefore, continuous learning and adaptation are key to maintaining a secure online presence.
The In's and Out's of Pre-Owned Domain Names
Discover the complexities of acquiring pre-owned domain names, including potential advantages like inherited SEO benefits and pitfalls such as inheriting spam or legal issues. Learn how to navigate this tricky terrain effectively.
Why use multiple domain names?
It's quite common for a site to be ... by more than one domain name. In fact, most sites are ... by at least two: a www version and a non-www version. These are usually set up to referen
Examples of Disaster Recovery
One of my first tasks when I was hired ten years ago was ... the creation of a disaster recovery site for ... computer systems. I had already had some ... ... and
