We have a global formmail.pl script (copy/paste code) available for all of our users. We also frequently scan our servers for user-installed versions...and check to make sure their copies don't allow spammers to use them. We are constantly finding bad formmail scripts installed...and patching them. We actually had spam sent through 2 accounts on one server day before yesterday...even though we had just scanned that server recently.

I thought that banning user-installed versions of FormMail might be a solution...since we offer it already anyway.

Do any other hosts ban the use of customer installed FormMail??

--Tina

We do not ban it, however we do offer a better CGI to mail script which can be installed via our control panel, instantly. As such, I haven't seen many people try to install FormMail yet.

But banning it wouldn't be a bad idea. Just make sure to list it in your TOS/AUP under "banned scripts" or something, and explain why it is banned.

Argh! Formmail! What a nightmare!

We've had numerous problems with customers using old formmail scripts that were then exploited by spammers.

We've continued to just send reminders to all of our users every time one user messes up to once again remind everyone of the problem and that they will be billed for any maintenance resulting from it. We haven't actually billed anyone, but possibly could the next time.

What I've been thinking of doing is just creating a sendmail group, and you have to be in the group to use it. And making them digitally sign an agreement to get put into the group.

But as far as actually restricting users from using scripts that access the sendmail binary/wrapper? And forcing them to use a shared stock formmail script? Seems a little harsh. IMHO. But it is probably a lot easier to just remove all scripts that refer to your sendmail binary instead of making sure that they're secure, which is what I did once. But new scripts are uploaded every day, and like you, I can't spend every day going through other people's scripts.

I know that other scripts CAN be exploited...but FormMail seems to be the only one we've had problems with. I think by banning user-installed instances of FormMail - we would eliminate almost all of the problems.

We just announced the FormMail ban yesterday. So far, out of 5000 customers, only one is really angry. I did remind him that we offer FormMail globally - and all he has to do is copy and paste one line of code into his form. Hopefully, he'll calm down when he realizes that!

--Tina

You might want to try making a rule that scripts can not be named "formmail". Many spammers take a "shot in the dark" at scripts called "formmail" because they know it is popular.

-Lamar

Ban it! Ban it! Ban it! ::hoping it works similar to saying "beatle juice" 3 times::

It's one of the most used and is therefore one of the most exploited scripts. Just logging into some of the chatrooms of the little aol programmers, you find them with their programs made for one purpose, finding formmail and then spamming through it. Heck, many of them even scroll detailed info on how many spammails they've sent out right to the chatroom. And of course we all know what AOL does about this right? For those of you who guessed nothing, you're absolutely correct!

The script is easy to use and even easier to turn against the user. It'd be best to make sure the name formmail didn't appear at all and to ban the use of at least that particular script.

I'd be interested to know how people locked down the formmail scripts? Referrers doesn't work because the spam programs don't send the header, and default action is to allow if missing. You could change that to only accept forms with a referrer header present I suppose.

Anyway, what I did was have a central formmail.pl script, and then modified it to check recipients against a database before sending the email. So when my customers set up a form, they go to the control panel and just add their email address(es) to a list. If a form is posted, and the recipient isn't what the customer has specified, it throws a no-spam message and quits.

We get people who sign up for service, then one week later we get Spam complaints showing an exploited Formmail script from their domain. The customer uploads some bogus web site, then uses FM to send his Spam and then says, "What, maybe someone exploited my script?". Sure, *someone* did - YOU!

Of topic, Tina, did you guys drop Windows hosting and dial up?

Originally posted by UmBillyCord
Of topic, Tina, did you guys drop Windows hosting and dial up?


Dialups weren't bringing in many new orders at all...not worth it.

Windows hosting...where do I begin? Three months of torturous hell comes to mind. :angry:

Seriously, we had more problems with the one Windows machine we had...than all of our Linux machines put together. No, it wasn't poor network admin - I was actually starting to think it was something we were doing wrong, so I hired 2 consultants and 1 Windows admin. The constant security patches and reboots were, as I found out, par for the course with Windows machines.

Not to mention the amount of tech support (ONE Windows server, mind you!!!!!!!) increased dramatically. I don't know why, but Windows customers seemed to require much more technical support.

After three months...I decided it wasn't getting any better and Windows hosting just wasn't for us.

--Tina

Originally posted by AffordableHost



Dialups weren't bringing in many new orders at all...not worth it.

Windows hosting...where do I begin? Three months of torturous hell comes to mind. :angry:

Seriously, we had more problems with the one Windows machine we had...than all of our Linux machines put together. No, it wasn't poor network admin - I was actually starting to think it was something we were doing wrong, so I hired 2 consultants and 1 Windows admin. The constant security patches and reboots were, as I found out, par for the course with Windows machines.

Not to mention the amount of tech support (ONE Windows server, mind you!!!!!!!) increased dramatically. I don't know why, but Windows customers seemed to require much more technical support.

After three months...I decided it wasn't getting any better and Windows hosting just wasn't for us.

--Tina

Now thats funny. Not because of the results, but because we have been debating the Windows world entry for two years now. Then we hear from people like you, we hold off to avoid the nightmare. Thanks. :)

What CP did you use? Do you think it was CP related or Windows related?

Apart from the customers who need full ASP support with Access databases, I do not believe that we loose many customers because we don't support Windows hosting. *nix is simply a much more stable solution.

By the way, I'm so fed up with the mess they call "Windows", I don't even use it at home on my PC anymore. Unix forever. :)

what is a good way of globally banning old formmails

Originally posted by AlaskanWolf
what is a good way of globally banning old formmails


<FilesMatch "[Ff][Oo][Rr][Mm][Aa][Ii][Ll]">
Order deny,allow
Deny from all
</FilesMatch>

thanks!

and i take it i just flop that into my httpd.conf file?

Originally posted by AlaskanWolf
thanks!

and i take it i just flop that into my httpd.conf file?

I guess so... I haven't tested it though. And your customers need to know that you are banning formmail, otherwise they will be debugging their formmails like crazy :)

We already notifed our customers a while back about using the version of Formmail found in cgi-sys

Banning it all together is not the best idea. Maybe bad older versions only and periodicly check the servers for older versions.

In your TOS put the following :

"We do not allow older versions of formmail.pl, if found you will receive an email if not responded within 24 hours we will delete it"

It shouldn't be that bad just make sure you give people time to delete.

Originally posted by Neo3Net
Banning it all together is not the best idea. Maybe bad older versions only and periodicly check the servers for older versions.

In your TOS put the following :

"We do not allow older versions of formmail.pl, if found you will receive an email if not responded within 24 hours we will delete it"

It shouldn't be that bad just make sure you give people time to delete.


Yeah, that's exactly why I held off on banning it. I did exactly what you are suggesting for 4 months. Now, last week, we get hit TWICE with someone sending massive amounts of spam through customer-installed versions of formmail. It just isn't worth it.

--Tina

Ya.....Well I guess you have to be hit to learn a lesson. Anyway I think that FormMail.pl is a stupid and pointless script anyway. So much easier to use a simple php script.....Is there a FormMail.php?

LOL

Anyway seems like for now the only option is to ban it.

Originally posted by AffordableHost
...After three months...I decided it wasn't getting any better and Windows hosting just wasn't for us.

Woohoo, tina! Fighting the good fight! I'm on your side.

We have never even considered offering Windows hosting. I personally am more than happy to refer customers to some windows host if they really need it.

Anyway, how about a script that searches through all files in your user's cgi-bin directories ending with .pl and .cgi to see if they contain the string "FormMail", and not the string "1.9"?

We've had the problem where people renamed the script to something like "mail.cgi". The formmail finder scripts that the spammers are running are trying all kinds of names, and some may be smart enough to follow an action string to find it and test it.

Would be great if such a script can be created. I enabled the code on 2 of our servers and it works as expected. Step futher would be to just find formmails with 1.x to 1.8 as those are the most insecure versions

This is the best I could come up with. Not sure if the iregexp with find is faster than a -o -iname, but thought it might be.



perl -n0e 'unlink $ARGV if /formmail/i &! /1\.9/' `find /home/*/htdocs/cgi-bin -iregex '.*cgi$\|.*pl$'`



The path to my users' cgi-bin is /home/*/htdocs/cgi-bin, you need to modify the script if yours is different.

Originally posted by Neo3Net
So much easier to use a simple php script.....Is there a FormMail.php?



Yes there is
http://www.lumbroso.com/scripts/formmail.php

Originally posted by queensoul


Yes there is
http://www.lumbroso.com/scripts/formmail.php

this php formmail still allows you to specify the "recipients" variable in the html form. Wouldnt people be able to use it to spam still?

As the Site5 support staff will verify, we had some issues on our servers with FormMail and spammer abuse. We patched it and they somehow managed to find other copies on other accounts on our box. I think we have them all now, though.

I say don't ban it -- but definatly require that it is up to date.

Originally posted by Refsoft
I say don't ban it -- but definatly require that it is up to date.


Been there, done that...didn't work. We've tried to be accomodating on this issue but customers aren't understanding the problem. A complete ban on formmail seems to be the only recourse.

--Tina

Originally posted by AffordableHost



Been there, done that...didn't work. We've tried to be accomodating on this issue but customers aren't understanding the problem. A complete ban on formmail seems to be the only recourse.

--Tina

Another good call would be to simply run a cron job that scans for formmail.pl and copies over a secure version if an out of date one is working.. I don't want to think about the detailed technicalities, though.

What ever you do, good luck..