Just wanted some feedback from other hosts on this script. No matter how hard we try and keep our clients informed of the latest updates to this script, we still get v1.6 and 1.9s sneaking onto the servers.

One spam attack on yahoo almost killed qmail and the queue had to be squashed as yahoo banned the ip on that server but the mail server still tried to send the spam. This had the effect of closing down the mail server as qmail attempts to process the email 3 times before dumping it.

Luckily yahoo have since reinstated the ip but spam is still running through one server because of Formmail. Version 1.92 isn't even secure and that's the latest.

Under our advice, many clients have beeen prudent and renamed the script to hide from those malevolent spiders. But we are thinking of banning this script completely. Has anyone gone down this road and did your clients understand? It's in no-one's interest if all IPs get blacklisted but alot of people seem to think it's just the host's problem.

We do, anyone that has it we suspend their account. Their was a thread about it a couple of days ago on a totally unrelated thread topic.

I can see where the older version could have some problems. But, the version I am using for me clients is very secure. The script has to have a referal in the script file and on the HTML document. If the two does not match up then the email is not sent. Also, the email can only go to the person designated in the script. It might be a good idea to offer a pre-installed version where you can regulate which version gets installed for security reasons. If your web server user directory is setup simular for each user I could write you a quick install program...

Pegasus has located a SECURE verion of formmail you can get it from http://nms-cgi.sourceforge.net/ ENJOY!!


<< mod edit : altered the URL to the script directly, rather then the hosts website.. - kunal >>

I currenty have it banned on my servers.
It brings in way too many spammers.

jayglate> some excellent info there, thanks for the tip :)

Thanks everyone. Time to update the TOS and break the news I guess.......

The real question here is what to use in its place?

I'm all for banning it. I just went through hell yesterday with a spam problem, luckily for everyone but the customer they are on a VPS so it didn't affect anyone else. If you ban it you have to find a replacement for it.

We ban it as well. We only allow the secure version of formmail.. and I have the formmail setup so that I am the only one who can change the variables.

Adds alot of work for me, but lets me rest knowing that a client isn't opening up the script for spammers.

I have it renamed to x19mail-send9291.jpg.pl and pre-installed for all the people I host.

That seems to keep the bots away =D

I dont host many people though, only 8 to be exist (im not a webhost, its just friends), so I wouldnt know about installing it accross multiple accounts, as I manually installed it for them...