This pretty well confirms what I imagined the attack vector was:
- You create a form on a page, and apply the Simple Form Action to it.
- Freeway generates a form handler, with the filename of that handler dependent on the filename of the form page.
- Any POST (or GET, if you’ve configured it that way) to the handler containing all the “real” fields required (and not containing the “honeypot” field) will be converted to a mail message.
So after step 3, any spammer who has found out what the combination is can set a script to work sending POST after POST to that script, full of either complete crap (because they wish to annoy you) or crap plus loads of URLs (to get people to click on ads in order for them to make money).
The recommendation I made to Jon was to rename his form page. This makes the form handler script have a different filename, and that severs the loop, since the script would have to go back to Jon’s site and figure out where the form handler moved to.
A possible fix for this would require some scripting on the form page itself (which is currently, by design, just HTML) so that it could add a shared secret of some sort which changes frequently, and without which the form handler won’t bother sending mail. I don’t have any brighter ideas than that, but perhaps someone could run with that.
The benefit to how the current system works is that the form page can be previewed directly in Freeway or a local browser – you don’t need to upload to a server running PHP in order to see the design. So whatever the technical fix is ought to retain that, without leaking the secret sauce (as a JavaScript would do) into user space.
Freeway cannot create a “dot file” (a file with only an extension, like .htaccess), so any server-side solution which leveraged PHP and Apache to rewrite the HTML on the fly would need to include some steep instructions on how to create a proper .htaccess file. (The uptake rate of Inlay among Freeway users would suggest this is a tall order.)
I’m hoping someone else has a bright idea, because the ones I can think of also require some “devops” skills that are definitely not WYSIWYG.
Walter
On Sep 5, 2017, at 11:20 AM, Jon H email@hidden wrote:
I suppose my last post could have been understood as the opposite of what I wanted to say, which was: No spam so far after I changed the file name. Which I presume has something to do with the form and where it resides and not anything else.
4320 minutes. And counting…
freewaytalk mailing list
email@hidden
Update your subscriptions at:
Information for existing FreewayTalk / Groups.io users - Site Feedback - Softpress Talk
freewaytalk mailing list
email@hidden
Update your subscriptions at:
https://freewaytalk.softpress.com/person/options