[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cellcom sendsms



I released a new version of my Sendsms script, in
http://nadav.harel.org.il/software/sendsms

The previous versions no longer work with Cellcom, so everyone should upgrade.

Cellcom's latest change to their site (done this morning) is very cunning.
They added various Cookies and stuff to their page but that turned out not
to be the important change - the cunning change is that they suddenly check
the "Referer:" header, to "make sure" that you follow their web-pages and
don't arrive at the middle (e.g., with a script). Of course, once I found
that this is the problem (it was hard, because I had to guess all the reasons
that my script's requests could possibly differ from those of a manual user),
it's trivial to insert the required "Referer:" header.

By the way, if anyone from Cellcom or Orange is reading this: Please don't
try to complicate your page every few months to foil scripts. This is mostly
futile, because us script writers aren't exactly stupid[1] :) All you achieve
is to annoy me (I just wasted 2 hours of my life on this crap!), and to make
your site useless for people with browsers without Javascript and the rest
of the tricks you use. What you *do* want to achieve, however, is to prevent
abusers (like spammers) from sending thousands of messages on your system
automatically. To do that, you'll need to work on your account system (so
people cannot create thousands of new accounts so easily, for example),
and not on obfuscating your interface. It is a well known fact that Obscurity
is not Security.

Another note to Cellcom and Orange: using "sendsms" for personal use only
brings you more business, so you have no reason to try to stop it. If one
company allowed "sendsms" and another didn't, many people (like myself)
will switch to the company that allowed it. This is not just theoretical -
I bought my Cellcom phone only after being promised that a web SMS sending
form will be up in a month (the promise was kept). Furthermore, I found myself
many times calling up the person who had just sent sent me email. I'm sure
other people do the same.


[1] I do know of one counter-measure that they can use to almost-completely
destroy the possibility of scripting their site (or at least make it very very
difficult). I hope they never figure out this method or decide to use it :)


-- 
Nadav Har'El                        |    Wednesday, Apr 18 2001, 25 Nisan 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Everybody lies, but it doesn't matter
http://nadav.harel.org.il           |since nobody listens.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il