This week's book giveaway is in the OCAJP forum.
We're giving away four copies of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) and have Khalid A Mughal & Rolf W Rasmussen on-line!
See this thread for details.
Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Securing email forms

 
Jason Kwok
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

First off, I'd like to apologise if this isn't the appropriate forum to present my problem. Basically, I have a form on a jsp page that posts email information to a servlet, that sends email using JavaMail.

My problem is that it's just a form, and there is nothing to prevent the form from being abused. The destination email address is fixed and only known to the servlet, I'm mainly concerned about people sending mass email through this form with no way of preventing it.

I was thinking of making a verification image, perhaps by using JCaptcha, and was wondering if that was the best way to go about securing a form like this? Or, are there easier alternatives to get the job done?

Thanks,
Jason
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You'd have to tell us a little more about how the form is used.

Do users have to be logged in to use it?
If so, all you would need to do is verify that they have a valid session.

Can they enter email addresses directly or are you getting the email addresses from a database on the back end?

The more we know about your requirements the more likely we will be to be able to give you good advice.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That sounds like a "contact me" page on a public web site, correct? In that case, a captcha should be sufficient to cut down on automatically sent mails.
 
Jason Kwok
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf is right, it's a contact page on a public website. No login is required, and as such, no sessions are maintained in any way, shape or form at this point.

The destination email is retrieved from the database, and only known internally by the mail servlet. People using this form can only provide their name, reply email address, subject and message.

The form basically is constructed as such, where Mail is my servlet:
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic