This is an informational posting for the benefit of webmasters and website providers.

Many websites use Matt's formmail.pl to process feedback forms hosted on their website. However, there is a serious flaw in the script that is being exploited by spammers to send junk mails anonymously from the website using the GET method.
http://site.com/cgi-bin/formmail.pl?recipient=email@address

I came across a modified script (anti-spam fix) which allows you to specify the list of recipient email addresses in a text file.
Download the fixed script from
http://www.mailvalley.com/formmail/

Anyone used this script ?
If anyone has found any other solution or patched versions of formmail.pl please let me know as soon as possible.

Hello
This happened to us a while back.
There is an easier fix:
change the name of the script to sdfskdfdd.pl
or something.

They use search engines to look for formmail.pl in your pages through Altavista. I have seen this as a search query in our server logs.If the file isn't called formmail they will ignore it and go looking elsewhere.

Gordon

renaming of script may not be a permanent solution. it is not at all a dificult task to find out the .pl file from the html pages. right now spammers are satisfied with whatever they got and they are switching sites looking for a script. once they exhaust some options then they look for alternate methods and could attack your server again.

I didn't say we still used formmail.pl at all, I just meant thatwas the immediate quick solution.

In fact, we use the C version which only sends to recipients in the same domain. It was only one page that had an old reference in it.

These people do not actually visit the web pages witht he forms on, they use search engines to look for the file.
If its not there, they move on.

Gordon

Woh!
We had the same problem 2 weeks ago, we were recieving complaints about spamming coming from our webserver and was wondering where in the world did this come from!

Our fix was just to only accept POST requests and refuse GET requests, that stped them in their tracks because their scripts uses the GET requests.

Hope that helps :)

I use formmail for a few people when I need to setup where the e-mail goes to, but I specify in the file where the e-mail is going to since I'm paranoid about some spam bot picking the e-mail address up from the page's source.

Don't use Matt Wright scripts, is a start. They were all coded a long time ago, by Matt while attending school, as he was learning. These (none of them) are any good anyway. Some people think "Well, it works for me, good enough", but they are coded poorly, usually resource hogs and often insecure. Not too long ago, they had the problem (formmail.pl) where it allowed people to specify the sender address in the HTML form (which is still does) as well as the person allegedly filling the form out. People would pass commands like (phonetically, for example) "Send to this address; command here" and they would echo the systems passwd file (or whatever else (any file on the system with read access) and have it sent to their email address.

Using POST, as someone else said, is not a bad idea, but you have the issue where the SPAMMER can simply copy the HTML form page from the site and put in on another site or even their own system and just use it from there. You also can block it by the referrer to say it has to be a POST action and be coming from the domain in question, but it's not at all difficult to have a local (or remote on their server) script to trick the referrer field and post the content to the script on your site. In fact, it would be better for a SPAMMER, because they can just have their local script loop through all the email addresses and continue to send through your server. I'd have assumed they'd be doing that very act anyway, since manually pressing submit or a URL with GET would be time consuming.

I'd suggest using a different mail form script, but that's not the solution per say. Some suggestions I'd say, is to put in a delay of like 1 or 2 seconds. People that use the form won't mind -- how often do they use it, really? Spammer's will find it annoying to have to wait. Also, do logging (something more intelligent than the web server logs), have it send the SPAMMER's IP and other information in the email.

Also, use some sort of logging to basically log what IP they are on, and have the script count how many times that IP has submitted a form mail. This would be the best solution, simply have a session file type of deal, where people can only use the form mail once or twice (or whatever is reasonable to you) every 30 minutes. It would be far too much of a hassle to wait 2 seconds for each mail to be sent, only be able to send one or two emails anyway and have to wait another 30 minutes -- or find proxy's to run though and have change the proxy information over and over. That would just be far too much time for any SPAMMER to deal with. No more mass email through the form mail script from there on out.

Also, to prevent simply changing the IP/proxy, you could use cookies in addition. If they don't accept cookies, deny them to use your form mail, if they do, use the same session type of deal with the cookie as well. I tell you, no SPAMMER would bother with your script ever again. It wouldn't be realistic to bother with. This might sound like a lot to do, but it's not. It's very simple and wouldn't take too long at all. You should always implement some preventative measure like this in any such script that can be abused. This, even though I'd hate the thought, could easily be implemented in even Matt Wright's scripts... Hope that helps you.

Originally posted by JustinK
I use formmail for a few people when I need to setup where the e-mail goes to, but I specify in the file where the e-mail is going to since I'm paranoid about some spam bot picking the e-mail address up from the page's source.

Good suggestion. I do the same thing. I don't allow anyone to see where or what the email address is. Also, for multiple choice of where/who the email will go to, I just put in something on the HTML form with a drop down box or radio selection choice and depending on what department the person selectes the email to go to (say, the value 1 is sales, 2 is support, 3 is abuse, etc.), that it'll go to and not be known, especially to SPAM bots -- let alone, to not have the email specified by some remote party. Just create a hash like:

%to = ( 1 => 'someaddress@someplace.com,ccsomeoneelse?',
2 => 'otheraddr', etc. );

Than just use the value to decide what number will email to what address. This also helps to prevent other problems. I'm glad you mentioned that.

Well, one of the customers just had it happen to them. :( So I took a little time and popped a somewhat small fix. If anyone sees any flaws in it let me know. I will be making orbmail in a couple days which will be an official Orb5 formmail type script. Just have to outline it first so I don't get all messed up.

http://www.orb5.com/freecgi/formmail/

If there's an error in it, please let me know. The sendmail location isn't what it originally was either ::changes it to blue::.

One of mine had it happen the tail end of last week too. When we talked about this a few weeks ago, I replaced most of the formmail.pl scripts with the more secure version. Obviously, I missed at least one. They are all gone now and have been replaced with the patched and renamed version, and there has not been a single returned message since. I will be replacing those with an entirely different script this week.

Tim is right about Matt Wright's scripts. The ones I have seen and used, like wwwboard and formmail, are junk. Even the patched and enhaced (by others) versions still do not compare to a large number of more recent, stable products for people who really know what they are doing when it comes to programming.

I took a look at the number of form processing scripts at HotScripts (http://www.hotscripts.com/Perl/Scripts_and_Programs/Form_Processors/) . They have 149. Wow! Does ayone have any recommendations? I'm considering AlphaMail as it seems satisfactory and I didn't go throught the entire list (just the first few pages).

I just make my own personally. I despise Matt Wrights scripts. All the wrestling sites use edited version of WWWBoard... I wish they'd make the date bigger on when the stuff was last updated so people would realize how old most of it is. I did learn a little of'em at first though. I actually managed to redo the wwwboard style at one point... but Vbulletin will have to do for my board system now. :)

::adds more in:: Just a question before I get a little form script made, what features do people like in their form scripts, and what security hazards should I look out for?

Originally posted by Tim_Greer
Don't use Matt Wright scripts, is a start ... coded poorly, usually resource hogs and often insecure ...I'd suggest using a different mail form script, but that's not the solution per say. Some suggestions I'd say, is to put in a delay of like 1 or 2 seconds. ... Also, use some sort of logging to basically log what IP they are on, and have the script count how many times that IP has submitted a form mail. This would be the best solution, simply have a session file type of deal, where people can only use the form mail once or twice (or whatever is reasonable to you) every 30 minutes. ... Also, to prevent simply changing the IP/proxy, you could use cookies in addition. ... You should always implement some preventative measure like this in any such script that can be abused. This, even though I'd hate the thought, could easily be implemented in even Matt Wright's scripts...

Tim, have you done anything to WZPro's formail.pl - as outlined above? If not, have you discussed these issues with WD?

Thank you for this public notice. I was using Matt's Formmail for a lot of forms on my site. I have since switched to a PHP based version.

Originally posted by David@Digisurge
Thank you for this public notice. I was using Matt's Formmail for a lot of forms on my site. I have since switched to a PHP based version.

Could you tell me where to get the PHP formmail script you are using? I'd love to switch to PHP for that. I've been phasing out cgi/pl scripts on my site, replacing them with PHP.

I ask because you apparently have done this and it is working fine - the best recommendation.

Thanks.

Sure I was going to post it in my orginal but I couldn't find it. I did some searching so:

http://www.lumbroso.com/scripts/

I am using it on most of my forms at:
http://www.digisurge.com

I have not had any problems with it. I like it better than the cgi/perl based one I used before.

PS

I am using version 4.0

Thanks very much, David. I'm on my way now!

Yeah. Now the hard part will be to stop our customers from using it =X.

Originally posted by Serena


Tim, have you done anything to WZPro's formail.pl - as outlined above? If not, have you discussed these issues with WD?

Nice to see you here. I believe I mentioned it, yes. However, I haven't been around there for some time. There's a lot of things I find more important and more of a priority, and I wasn't even sure if they were using it anyway. I've been pretty busy and haven't had time to really help out there much for a couple of months, so I should send a hello sometime soon. I talk to Webdude every now and again though. Hope all is well, let me know if you don't find a suitable solution for your needs and I'll help you out. Cheers!

Thanks, Tim. Good to talk with you.

I followed the lead of David and have switched over to phpformmail - all up and running fine currently.

WZ is using Matt's script - renamed formmail.cgi, so if these posts are correct about the spammers' abilities to utilize that script, it affects the end user, and WZ itself, and probably would be a good move for them to take precautionary measures.

Thanks for the speedy response and offer to help. :)

for the college campus website i webmaster i use the bnbform. anyone familiar with this one? i like it because it allows me to use radio boxes or a drop down for people to select where they want their email to go to (a&r, webmaster, financial aid, pr, etc.). and you can specify an autoresponder (a plain txt file) and it keeps a count of how many times the form was used and collects email addresses. :)