WebApp Sec mailing list archives

Re: Suggestion: email anti-spoof measure on web site

From: mike () sharecube com
Date: 19 Jan 2006 13:18:09 -0000

These forms, like tell-a-friend are tremendously useful for a business. They allow two or more parties to notify each 
other of the company's products.

The preferred answer (from my point of view) is that several email throttle techniques be recommended/required: only 
permit a few emails within a time span of five or ten minutes. If a site normally only sees one or two consumer uses of 
this form per hour, suddenly having 300 emails is a sure indicator that they are being exploited. A limit of 10 emails 
/ 5 minutes and a limit of 20 / hour are reasonable.

Also, the form should require some sort of CAPTCHA as well as an MD5 sig that the server provides regularly to insure 
that a kiddie script replay attack is not being used.

Mike
www.sharecube.com

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

Suggestion: email anti-spoof measure on web site ma . huijuan (Jan 18)
- <Possible follow-ups>
- Re: Suggestion: email anti-spoof measure on web site mike (Jan 19)
  - Re: Suggestion: email anti-spoof measure on web site Georgi Alexandrov (Jan 23)
- Re: Re: Suggestion: email anti-spoof measure on web site ma . huijuan (Jan 19)
- Re: Re: Re: Suggestion: email anti-spoof measure on web site mike (Jan 20)