For those of you not using cpanel (or even if you are I suppose), just wondering what script you are using for form mailer? Or if you could recommend a secure server-wide script for a Plesk server? Even not server-wide. Still using Matt's or ???

We are using Matt's newest version - and we've added some extra security measures as well. :)

We also routinely check our servers for customer-installed versions of Matt's script - and check them for spamability.

--Tina

Yeah, I was thinking of either Matt's (new, as is), or http://www.phorm.com < any experiences with this one? I just want something that won't leave the server wide open.

No experience with phorm - but really happy with Matt's. Been using it for a long while...we "fixed" it before he did though.

--Tina

We still have matt's latest formmail available to our customers.

We use custom CGI scripts for all of the stuff on our site, though, where settings and stuff are hardcoded.

We don't use plesk anymore, but it worked fine when we did. Sendmail or the wrapper for QMail really likes for a -ffrom@address to be added to the command, though.

open(MAIL,"|$mailprog -t");

to

open(MAIL,"|$mailprog -t -f$Config{'email'}");

Originally posted by Chicken
For those of you not using cpanel (or even if you are I suppose), just wondering what script you are using for form mailer? Or if you could recommend a secure server-wide script for a Plesk server? Even not server-wide. Still using Matt's or ???

I use matt scripts for these reason: it is one of few scripts that is secure (try finding another secure script) and it is very popular, so most users probably know how to use it already.

We did a customization, so we will be able to install it server wide without compromising security.

Another related question: anybody knows a good form mailer that supports PGP/GPG?

Hi!
Modifying formmail is the best option.
Also forpgp you get a script called pgpmail.pl which is a modified formmail.pl again... :)

Have a great day :)

regards
amar

Matt wrights script is not really a script you want to use as-is. We had such a high spam exploit rate that we had to make changes. We wrote a script to seek out Matts scripts and alter them, and I mean a lot of altering. We changed them by adding some security involving posts per hour, ip tracking, users allowed to post, and post methods as well as some other details. Since then we have not had one single spam complaint that was traced to a form mail script on our network and users have not noticed or complained about the implemented changes. Most of them are unaware anything was changed. Spammers dont make things easy with their unethical practices but what else can you do? Just some food for thought for any form mail scripts.

Originally posted by Jag
Matt wrights script is not really a script you want to use as-is. We had such a high spam exploit rate that we had to make changes. We wrote a script to seek out Matts scripts and alter them, and I mean a lot of altering. We changed them by adding some security involving posts per hour, ip tracking, users allowed to post, and post methods as well as some other details.

The latest version of matts FormMail.pl has built in security measures to prevent spam relaying. And it looks like it is a lot simpler than what you did.

Perhaps, but ours was done a while ago and works quite well for us. I will check the newest version and compare it, and this is just and assumption but I would bet ours is still more secure. But if the new one works well for you then great.

Originally posted by bobcares
Hi!
Modifying formmail is the best option.
Also forpgp you get a script called pgpmail.pl which is a modified formmail.pl again... :)


Uh, pgpmail is based on an ancient version of formmail.pl. I don't know if it has some security problem related to the old version of formmail.pl. But, it looks like it needs some heavy lifting to secure.

Hello, when looking for some other form mailers out there, I came across soupermail, http://soupermail.sf.net. Looks like it has tons of features. Anybody has used it yet?

I never used it but it does have some pretty good documentation at least.

Originally posted by Jag
I never used it but it does have some pretty good documentation at least.

On the downside, it is very complicated that might confuse average user :(

It might even add some support burden if I am offering that :(