> On this special server the one and only client is the web application, > where anonymous users can use a web form to ask for an account. They > have to fill in their email address. The web application sends a > mail to this address with a dynamically generated link the user has > to follow to really make the web app create the account.
Ah, much clearer. > In this scenario the "bad client" is "all the bored kids and bots" > that fill web forms with senseless content, so the only way to fight > this is using some kind of captchas, isn't it? Yes. Use human tests to help. Here are some ideas. Definately google for a decent capthca (Re-Captcha appears to be the last unbroken one atm). Also MathGuard seems moderately ok. Use honey pot variables (they need to be present and left empty). Prior to sending, make sure the domain name exists (requires reliable DNS) Use IP rate limiting (just keep a table and when you send the email, insert a row with the ip/date/email) and don't let that number of rows exceed some number per day. Finally, add headers like X-Sender: Email from IP xxx.xxx.xxx.xxx (the senders IP, and bounce back to a processing mail box so you can nail anyone that is bored/bad :) > (So in theory, a "bad employee" could blame its companies outgoing > mail server be generating thousands of mails to non existing email > addresses?) Yep - many things can go wrong, so make it hard for them to. What I listed above helps dramatically cut down on invalid sends. -- Tony Holmes Ph: (416) 993-1219 Founder and Senior Systems Architect Crosswinds Internet Communications Inc.
