Re: FN-FORUM: mobile phone service provider

date posted 4th September 2006 21:48

Paul Bryant wrote:
> < Do you still find that code useful? On the nms project we find that so
> many personal firewalls now strip the HTTP_REFERER header that it's
> usually pointless to check it.>
>
> I guess it's impossible to answer until a spammer abuses one of my forms.
> The only thing I can say is that none of my sites have been used to send out
> spam AFAIK since using it.

I don't doubt that it prevents a lot of spam being sent (tho', of
course, it would be trivial for a spammer to spoof the referer and
circumvent your checks).

The problem that I'm talking about is when a completely innocent user
comes along with a personal firewall that strips the HTTP_REFERER
header. As their HTTP_HEADER is empty, it doesn't match the one
hard-coded into your program and they just see your "you do not have
permission to use this script" message.

And of course, as it's your contact form that they can't use, they can't
contact you to tell you about the problem. We found out about the
problem on the nms project as the error message we displayed contained
our email address and people contacted us directly telling us what had
happened.

Hope that clears it up.

Dave...