Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing problems with a mailscript

Status
Not open for further replies.
sirugo

sirugo

Programmer
Joined
Aug 1, 2000
Messages
162
Location
SE
I have written a php-script that uses our mail server to send a message to a user when he/she enters his mail address, so that he/she can confirm what has been POSTed.

Have I opened a door to mail terror in the system?
What problems should I expect and how do I prevent them?

 
Sort by date Sort by votes
It's for users from "all over the world".
 
Upvote 0 Downvote
And:

The mail server is not open relay to "anyone", only to the webserver that sends through the mail server.
 
Upvote 0 Downvote
Thanks

But as I wrote in an additional reply, the mail server is not open relay to anyone but the webserver itself.
Anyone can POST to the script from the form, entering their mailaddress, but the mail server only delivers mail that comes from the script.

Also it delivers to those who use the mailserver as they did before the script even existed (FirstClass).
 
Upvote 0 Downvote
Then I can annoy the hell out of people, and you will get the blame for it.

It would take me 10 minutes to write a PHP script that would use CURL to programmatically post to your script, pulling names from a database on my side.

And if someone formatted the post data well enough, I could see where it might be possible to send nearly anything.

Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
This is how it works:

A user POSTs his mail address to the script and it gets stored in a MySQL database.
The user can only submit once and then must verify via the mail, before entering again.
All mail addresses are stored.
Also there is a cookie that wont let the user POST from the same machine within the next ten minutes (yes, I know they can disable cookies).

Is it also possible for an evil user to make the mail server go down in any way? How?
 
Upvote 0 Downvote
The user posts a message, together with the email address.
The message and the mail address are stored in a MySQL table.
A mail goes away to the user, saying that he/she has to click on a link in the mail messageto "unlock" the message through another script via the GET-link provided.
Also a disclaimer comes with the message if the user is evil and pretends having another user's mail address.
The user cannot post more than once and has to unlock the first message before posting another.
Also a cookie prevents users from posting more than once within a 10-minute period, that is: no click-click-click posts.
 
Upvote 0 Downvote
Well if the user posts a message, the user's mail address is stored in a MySQL table together with a secret password (encrypted) in another field that means that the message has not been unlocked.

When the user receieves a verifiable message in the mailbox and clicks on the verifying link in the message, the unclocking code flies over the net into the unlocking script that checks with the table if it's the right code and replaces it with zero.

Only zeroed messages are displayed when the "show-script" shows available messages.

 
Upvote 0 Downvote
Yes, that is true.
And if someone does, I have a function in the script that checks how many times per hour the script is called.
The mailserver cannot be called from the webserver more than five times per minute and if that ever happens, a message will be sent to me to warn me.
The site will not have more than 30 users per day typically.

Still the messages sent to other users contain an excuse if the message wasn't initiated by them but by an "evil user".

 
Upvote 0 Downvote
Your users aren't going to care that the message was from an evil user. They're going to care that they are getting garbage from your system.

And how are you ensuring that the emailing script is not called more than 5 times per minute? How does that affect 6 users' wanting to use the script in the same minute?

Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
1. Yes, users who have not visited the site might be upset.

2. The script can be called many times but the mailserver will not be contacted for a delivery more than five times per minute to ensure that it not gets overloaded. The site will not ever have five users calling the script in the same minute. And if it ever happens I will be warned and think about that "problem" if it ever occurs.

Now, let's get back to the point.
This site (Tek-tips) can also be used to send "evil" messages to users who have never visited it (when registering).
There are a million sites that work the same way.

Is your suggestion that these sites should not have this type of functions or is there a better way to get around the problem of verification?
 
Upvote 0 Downvote
What do you mean?

I can do that on the start page, if I want to register with Tek-tips.

My script does NOT send the message itself to the user with the verifying link. What goes away is the following:

You have posted a message to the ***-site.
For your message to appear you must verify your posting by clicking on the following link: ... ...

If you have not posted a message to the ***-site, we apologize for any convenience.
 
Upvote 0 Downvote
Ahhh. Now I have a clearer picture of what your site is doing. Your using reflexive pronouns in the original post would have been helpful.


So would I be correct to say that your site does not require logins, but rather requires confirmation of all posts by email?

Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Yes!

I do not have users.

Sorry to see that I lost you in my first post.
=)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

P
  • Locked
  • Question Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
900
Chris Miller
Chris Miller
EdLentz
  • Locked
  • Question Question
I need a simple example of how to send a table of info .
Replies
8
Views
1K
EdLentz
EdLentz
Wand850
  • Locked
  • Question Question
Parsing XML with multiple namespaces using PHP
Replies
3
Views
525
spamjim
spamjim
R
  • Locked
  • Question Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
830
Chris Miller
Chris Miller
Gerrit Broekhuis
  • Locked
  • Question Question
PHP form with captcha and file upload
Replies
4
Views
554
Gerrit Broekhuis
Gerrit Broekhuis

Part and Inventory Search

Sponsor

Back
Top