PDA

View Full Version : More Secure Form Mail



torrin
06-24-2003, 10:57 PM
Does anybody know of a formmail script where I don't have to put my E-mail address in the html code? Currently, I'm using the default westhost formmail (Matt's Script Archive). In the html you have to put . . .


<INPUT NAME="recipient" TYPE=hidden VALUE="email@somedomain.com">

I'd like to avoid that. I don't want to make it any easier for spammers. Any ideas?

wildjokerdesign
06-25-2003, 09:04 AM
At one time I had modified the code to not use the recipient field but to send to only one e-mail address that was set in the script itself. You might want to try that.

WestHost - CSimiskey
06-27-2003, 12:06 PM
You could also use the "cgiemail" script which makes use of a template file which can store all the information for the e-mail sent out. Its also more useful for making your e-mails "pretty" since you can defiante the layout exactly as you want.

dahj
06-27-2003, 02:13 PM
I would suggest what wildjoker says.. That would make your email address more secure (seeing as access to the cgi directory is extremely limited).

torrin
07-13-2003, 12:02 PM
At one time I had modified the code to not use the recipient field but to send to only one e-mail address that was set in the script itself. You might want to try that.

Thanks for the suggestions. Unfortunately, I don't know perl very well so I decided to do this without changing the formmail.pl script very much. Here are the results. I did end of modifying the formmail.pl script, but not how you said. I ended up doing a combination of 2 things to make it more secure.

First, in the code of the website, I change the email address from something like this . .


<INPUT NAME="recipient" TYPE=hidden VALUE="email@somedomain.com">

to something like this . . .


<INPUT NAME="recipient" TYPE=hidden VALUE="email@somedomain.com">

I changed some of the characters in the E-mail address to their HTML code equivalents. My web browser (mozilla) has no problem with this and will translate it for you. I believe internet explorer will do this to. That will at least keep bots from just downloading this page and getting the E-mail address straight out of it.

Secondly, I change line 321 of the formmail.pl script from . . .


print "Below is what you submitted to safeConfig('recipient') on ";

to . . .


print "Below is what you submitted to somedomain.com on ";

That will keep the E-mail address from showing up when you press the submit button.

I believe these 2 modifications will make it sufficiently hard enough to keep most of the bots and automatic e-mail address scrapers out of my hair for a while.

Any comments?

wildjokerdesign
07-13-2003, 01:03 PM
You could also use the "cgiemail" script which makes use of a template file which can store all the information for the e-mail sent out. Its also more useful for making your e-mails "pretty" since you can defiante the layout exactly as you want.

I have used this script and it works pretty well. It does give you alot more control over how the mail looks. It is a bit more involved to set up a form though.


I believe these 2 modifications will make it sufficiently hard enough to keep most of the bots and automatic e-mail address scrapers out of my hair for a while.

Any comments?

Sounds like it is a good fix to me. Can't see any problems. Like they say there are always 100s of ways to do the same thing. :D

Arcangelct
04-10-2006, 11:20 AM
A had the same misgivings

found the following link:
http://nms-cgi.sourceforge.net/scripts.shtml

They have an updated version of formail.
if you set
@allow_mail_to = qw(marketing@yourhost.com);

The documnation states:
If you leave the 'recipient' field out of the
form, formmail will send to the first address
listed in the @allow_mail_to configuration
variable (see above). This allows you to avoid
putting your email address in the form, which
might be desirable if you're concerned about
address harvesters collecting it and sending
you SPAM. This feature is disabled if the
$emulate_matts_code configuration variable is
set to 1.

I use it this way and it works :)

wildjokerdesign
04-10-2006, 11:38 AM
The same site also has TFMail which allows more control over the look of the output the script returns. Even has an autoinstall you can download that works fine on WH accounts. You can actually hide the email addys very easy since the set up on TFMail is that you have config files for each reciepient. That config name can be anything you want even could be simply numbers and then the email address is pulled from that config. You can actually set up one contact form whit a drop down for recepient instead of useing hidden fields wich allows you to have a more dynamic contact form.

Figured I should update since my last comment was on cgiemail which is no longer used or available via WH. :)