This is probably not the right forum/board to be asking this but here goes........

I've setup formmail.pl (the popular Matts FormMail) and it works great. I want to make it available as a script all my web hosting clients can use. I've been able to make a public cgi directory (via ScriptAlias in httpd.conf) but now I got a small problem getting the script to email any1 on my server.

All my users will access the cgi script via:
http://www.domain.com/cgi-pub/formmail

Thats not a problem. The problem is sending the email. Because of the way @recipients work, I cant make it so any1@domain2.com recieves emails......says bad receipients.

Has any1 found a way around this?

thx

Should not use form mail unless you want to attract spammers

:o

wots the alternative......which can be made public

you can use form mail but you must rewrite it so that only client with username and password can use it. But what's problem with @recipients. I don't use formmail and I don't recommend you use Matt's formmail (so ugly). You may find some useful scripts at http://resourceindex.com or http://hotscripts.com.
Good luck.

You can check at nms Scipts http://nms-cgi.sourceforge.net/
There are drop-in replacements for Matt's Scripts. It means that most of the times you can override Matt's Scripts with NMS ones without having to rewrite forms in html pages, they provide for sure better security.

Originally posted by amit290
This is probably not the right forum/board to be asking this but here goes........

I've setup formmail.pl (the popular Matts FormMail) and it works great.

I wouldn't use Matt's Formail if I was you. I was using it, and it has security problems. A couple of weeks ago, some spammer started using mine, and was just sending spam to mostly made up email addresses I guess in hopes that a few of them would be valid. Anyways, for all the ones that weren't valid, the bounces came back to me, and I got hundreds per day.
Here is a file with the particulars on Matt's Formail vulnerabilities:
http://www.monkeys.com/anti-spam/formmail-advisory.pdf

I then installed this one:
http://nms-cgi.sourceforge.net

Weird this is that even after I replaced Matt's Formmail.pl with nmsFormail, The bounces kept comming. I checked my Aris/snort logs, and it said I had another Matt's Formail attack, so I looked through my sites and I found another copy of the file in a directory that I never even use. I just happed to upload it there a few months ago and forgot about it.
So happened that this was the one the spammers were using. I have no idea how they found it on my server when I didn't even know it was there. They must have a bot that seraches for them.
The a$$holes that were spamming is these guys: http://www.getphentermine.com

Originally posted by Ivan


Weird this is that even after I replaced Matt's Formmail.pl with nmsFormail, The bounces kept comming. I checked my Aris/snort logs, and it said I had another Matt's Formail attack, so I looked through my sites and I found another copy of the file in a directory that I never even use.

When I recently browsed my logs I found GET requests to formmail.pl with the proper options to send emails with the site's name to an AOL account.

So there are defenitely script-kiddy tools available which will browse the net for sites which run formmail.pl either at http://www.domainname.com/formmail.pl or http://www.domainname.com/cgi-bin/formmail.pl and then email the location back to a third party for later abuse.

Formmail.pl (and some drop in replacements) are not only vulnerable to get fed with crap through POST , but also through the GET request.

I wouldn't recommend to use a script in specific, but by all means I recommend the following additional precautions which such a script should meet:

- The name shouldn't be formmail.pl

- The script should deny all GET requests

- POST request with an $HTTP_REFERER not matching your domain name should be denied.

- The script should only send emails to a hard coded recipient email address

I would certainly rename FormMail.pl to something else when using it. Spammers search for formmail.pl, formail.pl, FormMail.pl
Formmail.cgi etc on the web to spam off of.

Rename it something very different and it will lower your chances of being spammed off of when you offer it to your clients.