[spam-stopper] List of required fields?

rich boakes rich at boakes.org
Wed Oct 26 22:14:18 UTC 2005


Dirk Haun wrote:
> Matt,
> 
>>We do discard some things from $_SERVER, like SERVER_PORT and PATH, but 
>>the vast majority of it is highly useful.
> 
> Hmm, how so? My server configuration shouldn't have any relation to the
> spam I'm getting.

Hi Dirk, your points got me thinking...

There's was an article on The Register [1] a few
months back where they interviewed a spammer and
he mentioned how he'd go looking for specific
types of blog to target - if there is a
vulnerability in a particular blog with a
particular version of php, and a particular
library, then you can bet it'll be targeted.  As
spam gets harder to deliver it becomes more
necessary to target such layered vulnerabilities.

If I were to write the same system, I'd give it
as much information as possible.  What is
probably necessary therefore is a UI that allows
the user to choose how much info gets sent.

[1]
http://www.theregister.co.uk/2005/01/31/link_spamer_interview/

> On a somewhat related note: I have a suspicion that over here in
> Germany, I may actually be required by law to inform my users that their
> data is sent to some other server (have to look into that). Just as a
> reminder that these issues shouldn't be treated lightly ...

In some respects the data is already being sent
to another server, because it's going from the
web server to the MySQL server; but I assume you
mean a machine owned by a third party, in which
case: what's the difference between the third
party machine and any web client that would
download the page and read the comment?  IMO
there is no difference, but then, IANAL.

Rich
--
http://boakes.org



More information about the spam-stopper mailing list