SMTP auth slow?

S

Sailor

Perch
Sending mail using CDOSYS.
Scanning past posts on SMTP auth, I believe it was said that if the "From:" address is on my domain, then that effectively passes for authentication.

However, I'd like to ensure hackers can not use my forms to send mail (I've had this attempted several times in the past). So using authentication seems like a good idea.

Questions are:
1) Is using a "From" address on my domain equivalent to authentication, or should I do proper smtp auth with a valid sender email/password?

2) Using smtp auth, can the authenticating email be different from the :From:"?
I want the "From:" to be [email protected] or "[email protected] but I don't want to have to hard-code the passwords for those into my code. Someone here suggested a dedicated email account set to discard all incoming emails. Will this work?

thanks
 
You've got a couple of things going on here:

1) SMTP Auth -- using a FROM address that's hosted here is not the same as SMTP Auth. I don't know CDOSYS (or ASP for that matter) but you have to use that object's methods to specify an SMTP Auth user (the local email address) and password. That gets hardcoded into your code.

2) Preventing abuse of your forms -- You need to do a couple of things:

A) Make sure your form processing page can't be called from a remote script. You could check the referrer, e.g. confirm the referrer is in the same domain as your form processing script. Passing an oddball hidden form field might work for a while but the smarter scraping scripts will find your form, scrape it to find those fields, and pass it with their junk to your processing page.

B) Make sure no one can add extra SMTP headers to the various fields. You must validate the data entered into all fields, like To: Subject: etc. None of those should contain line-breaks or email addresses. Check the body contents too.

You might check out NYPHP - PHundamentals - Email Header Injection I know it's all about doing this in PHP but the concepts are the same. I'll leave the ASP up to you, though! :D

Tim
 
You must log in or register to reply here.
Back
Top