Re: Preventing Request.Form abuse
- From: "Mark Rae" <mark@xxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Oct 2006 22:27:31 +0100
"John Timney (MVP)" <x_john@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:9cCdnSxkqMv0H6PYnZ2dnUVZ8qudnZ2d@xxxxxxxxxxxxxxxxx
John,
A list of forms that are only subject to postback on submission is easy to
create and could reside in web.config (or anywhere cachable) - crude, but
we can think of another way later. A begin request intercepted in an
ihttpmodule could verify the ispostback property of any request. If its
not a postback form, and is in the list of forms that require postback
then dump the request and return a redirect to some random fictitious URL.
It wont even touch the actual form being requested.
I like it!
If we were to use a real rather than a fictitious URL for the redirect, do
you think that would be a good thing or a bad thing? I guess it would be a
bad thing because (I suppose) it would look to the target URL that the
posting was coming from our IP address rather than the spammer's IP
address...
Being based in the UK, I think I would find it rather satisfying if the
spammers suddenly found themselves trying to post here:
http://www.met.police.uk/computercrime/
:-)
.
- Follow-Ups:
- Re: Preventing Request.Form abuse
- From: John Timney \(MVP\)
- Re: Preventing Request.Form abuse
- References:
- Preventing Request.Form abuse
- From: Mark Rae
- Re: Preventing Request.Form abuse
- From: John Timney \(MVP\)
- Preventing Request.Form abuse
- Prev by Date: Re: Preventing Request.Form abuse
- Next by Date: Re: Newbie Question!
- Previous by thread: Re: Preventing Request.Form abuse
- Next by thread: Re: Preventing Request.Form abuse
- Index(es):
Relevant Pages
|
Loading
