eBook Software - create and publish your own ebooks

EBookApprentice.com
Learn How To Create, Publish & Market E-Books

EBookCompiler.com
E-Book Creation Software

EBookPower.com
Add sophisticated multimedia to your E-Books

CoverFactory.com
Create E-Book covers in minutes

EBookSubmit.com
E-Book Marketing & Promotion made easy

EBookJungle.com
Search engine for E-Books

EBookInterviews.com
Interviews with eBook authors

EBookEnhance.com
Tools for building better eBooks

Archived Message:

Security of Autoresponder Addresses

»Security of Autoresponder Addresses

JRSnottingham

I purchased Autoresponder Unlimited and look forward to trying it out. I notice that it stores all email addresses in a dataset with default name "cxx.txt" [I have changed it to help preserve the security, the documentation encourages the user to change the name.]

How safe is this? It is a text file on the website. Are there any known instances of spammers retrieving this text file, stealing all the email addresses, and thus causing the internet business ALOT of unhappy customers/contacts? I am not sure whether the Data Protection Act applies to simply lists of email addresses, does anyone have any legal knowledge about this? I wouldn't want my customers to think their addresses could easily be hijacked.

Any views appreciated, thanks.

Posted on: 7:06 pm on April 12, 2004

EBookCompiler

First question:
===========

We are talking about $mbase defined as "collect.txt" on line 61 of config.cgi right?

You want to be careful about this, because yes there could be potential for a spammer to scan that file, possibly. Spambots (the software spammers use) will collect almost anything they can.

1. Depending on your host, it may be set up so that external users (except via scripts that you install yourself) can not get access to text/data/html files in the cgi-bin directory. You can test that by typing in the URL of this file directly, and seeing if it loads in your browser. Remember the URL may include cgi-bin

e.g. it might be something like

http://www.yoursite.com/cgi-bin/autoresponder/collect.txt

If your host does the thingy I mentioned earlier, you should get a permission error. This would mean you are probably safe anyway, but do the next bit anyway

2. Set the name to something unguessable and horrible, and fairly long. Letters AND numbers, etc. in the filename. UNIX/Linux file systems are case sensitive, so mix cases on the letters

Even if accessible by typing the URL, the page should not be able to be found by anybody who can't guess the name provided you do a number of things:-

(a) Do *not* link to the file from any other web pages

(b) Do *not* put the file name in robots.txt (if you have one). Remember robots.txt can be read by anybody. Some spammers use this guide (which is supposed to tell search engines which pages not to index) as a guide for themselves to go grab more information.

(c) Do *not* let your own computer be a point of vulnerability. For example, viruses or spyware can give away personal data from your own PC which could include this file or its URL. So keep your computer free of them - keep antivirus software current, regularly scan for spyware (e.g. lavasoft.de) and avoid downloading programs which are explicitly adware or spyware.

(d) Relatively Remote possibility - What happens if you type-in toi your browser something like

http://www.yoursite.com/cgi-bin/autoresponder/

(without the file name)

If your host gives a list of files in this folder, you need to talk to them AND/OR fix it for this specific folder yourself

- If you want to talk to them, ask them to turn off directory listing, atleast for your site, if not for everyone's. Most hosts do this already (except maybe some free ones), as it is good security.

- If you want to fix it yourself, create a file with the default name (usually index.htm or index.html but it varies by host) in any directory that doesn't have one. This can be an empty web page. It will stop people doing directory listing, as if they attempt it, they should get this file instead.

3. I am not sure if this is going to work (the script may or may not operate under these conditions), but you can try it for extra security....

Try putting a path in for $mbase

e.g.
instead of say
$mbase = "collect.txt" ;

put
$mbase = "./data/collect.txt" ;

The ./ means under the current folder
The "data" means a subfolder, called data

So this means the file would be stored, as something like
/cgi-bin/autoresponder/data/collect.txt

You will need to create an empty "data" directory in the right place, and set permission on it too. Try 755 and if that doesn't work try 777/

The idea is to store the file in a subfolder

You still want to do the points covered in section 2 as well.

But, if this works, you should be able to password protect this "data" folder (either on your host's control panel or by creating an .htpasswd file) on almost any reasonable host.

If this works, this is the safest solution.

Second question
============

I am not a lawyer. My understanding is Data Protection Act is UK law relating to colletion of personal data.

If you want answers to legal questions, ask a lawyer, and/or ask the agency in charge (I think Data Protection Registrar is the name)

I believe a copy of the act is online, and may be found in google if you want to read it yourself.

Whether this applies to just lists of email address, I don't know.

Jay deals with this kind of stuff. I believe Answers 2000 did register (you fill a form and pay a fee I believe), but of course, the data we might collect on our sites and uses we put it too, will differ from your site/business.

Posted on: 4:44 am on April 13, 2004

JRSnottingham	Many thanks for such a complete response. I had thought of some of these things but not all, and it will be easier to follow your clear instructions and the examples to check if they work.
	Posted on: 7:44 am on April 13, 2004

Search

List All Archived Forums

Copyright © 2000-2021, Answers 2000 Limited.

With any business, it is up to the individual owner of said business to ensure the success of the business. You may make more or less than any sample figures or results that might be quoted on our web sites or other publications. All business involves risk, and many businesses do not succeed. Further, Answers 2000 Limited does NOT represent that any particular individual or business is typical, or that any results or experiences achieved by any particular individual/business is necessarily typical.

Disclosure: Our company's websites' content (including this website's content) includes advertisements for our own company's websites, products, and services, and for other organization's websites, products, and services. In the case of links to other organization's websites, our company may receive a payment, (1) if you purchase products or services, or (2) if you sign-up for third party offers, after following links from this website. Unless specifically otherwise stated, information about other organization's products and services, is based on information provided by that organization, the product/service vendor, and/or publicly available information - and should not be taken to mean that we have used the product/service in question. Additionally, our company's websites contain some adverts which we are paid to display, but whose content is not selected by us, such as Google AdSense ads. For more detailed information, please see Advertising/Endorsements Disclosures

Our sites use cookies, some of which may already be set on your computer. Use of our site constitutes consent for this. For details, please see Privacy.

Click privacy for information about our company's privacy, data collection and data retention policies, and your rights.

Contact Us About and Terms Of Use Privacy Advertising/Endorsements Disclosures