First question:
===========We are talking about $mbase defined as "collect.txt" on line 61 of config.cgi right?
You want to be careful about this, because yes there could be potential for a spammer to scan that file, possibly. Spambots (the software spammers use) will collect almost anything they can.
1. Depending on your host, it may be set up so that external users (except via scripts that you install yourself) can not get access to text/data/html files in the cgi-bin directory. You can test that by typing in the URL of this file directly, and seeing if it loads in your browser. Remember the URL may include cgi-bin
e.g. it might be something like
http://www.yoursite.com/cgi-bin/autoresponder/collect.txt
If your host does the thingy I mentioned earlier, you should get a permission error. This would mean you are probably safe anyway, but do the next bit anyway
2. Set the name to something unguessable and horrible, and fairly long. Letters AND numbers, etc. in the filename. UNIX/Linux file systems are case sensitive, so mix cases on the letters
Even if accessible by typing the URL, the page should not be able to be found by anybody who can't guess the name provided you do a number of things:-
(a) Do *not* link to the file from any other web pages
(b) Do *not* put the file name in robots.txt (if you have one). Remember robots.txt can be read by anybody. Some spammers use this guide (which is supposed to tell search engines which pages not to index) as a guide for themselves to go grab more information.
(c) Do *not* let your own computer be a point of vulnerability. For example, viruses or spyware can give away personal data from your own PC which could include this file or its URL. So keep your computer free of them - keep antivirus software current, regularly scan for spyware (e.g. lavasoft.de) and avoid downloading programs which are explicitly adware or spyware.
(d) Relatively Remote possibility - What happens if you type-in toi your browser something like
http://www.yoursite.com/cgi-bin/autoresponder/
(without the file name)
If your host gives a list of files in this folder, you need to talk to them AND/OR fix it for this specific folder yourself
- If you want to talk to them, ask them to turn off directory listing, atleast for your site, if not for everyone's. Most hosts do this already (except maybe some free ones), as it is good security.
- If you want to fix it yourself, create a file with the default name (usually index.htm or index.html but it varies by host) in any directory that doesn't have one. This can be an empty web page. It will stop people doing directory listing, as if they attempt it, they should get this file instead.
3. I am not sure if this is going to work (the script may or may not operate under these conditions), but you can try it for extra security....
Try putting a path in for $mbase
e.g.
instead of say
$mbase = "collect.txt" ;
put
$mbase = "./data/collect.txt" ;
The ./ means under the current folder
The "data" means a subfolder, called data
So this means the file would be stored, as something like
/cgi-bin/autoresponder/data/collect.txt
You will need to create an empty "data" directory in the right place, and set permission on it too. Try 755 and if that doesn't work try 777/
The idea is to store the file in a subfolder
You still want to do the points covered in section 2 as well.
But, if this works, you should be able to password protect this "data" folder (either on your host's control panel or by creating an .htpasswd file) on almost any reasonable host.
If this works, this is the safest solution.
Second question
============
I am not a lawyer. My understanding is Data Protection Act is UK law relating to colletion of personal data.
If you want answers to legal questions, ask a lawyer, and/or ask the agency in charge (I think Data Protection Registrar is the name)
I believe a copy of the act is online, and may be found in google if you want to read it yourself.
Whether this applies to just lists of email address, I don't know.
Jay deals with this kind of stuff. I believe Answers 2000 did register (you fill a form and pay a fee I believe), but of course, the data we might collect on our sites and uses we put it too, will differ from your site/business.