Does anyone know of a website or piece of software (like the test at www.abuse.net/relay.html ) to test formmail scripts to ensure they are secure?

No, I don't want to spam anyone....I run 3 different scripts on two servers and want to make sure I don't get attacked.

Thxs

open your FormMail.pl in notepad, if it says 1.6 or less its an open relay, if it says 1.9 its ok :)

Thanks bbi - but I am not just using Matt's formmail - I use different formmail scripts for different purposes (some send autoreplies, some talk to majordomo, etc), and I do have the latest versions that check http headers, but I have heard there are some ways around that?

actually 1.9 also has serious flaws and holes it in

this is an informative page.

http://www.monkeys.com/anti-spam/filtering/formmail.html



spampal (cool application so far!) uses this list to filter your mail for spam sent from open formmail relays.

write your own using php for example. It's easy and fast (well maybe not that customizable etc, but if you need for your own web site - no problem)

mail() for php :) hint hint :)

http://php.resourceindex.com/Complete_Scripts/Form_Processing/

If you have a server and run web hosting on it. And you have several clients that just will not get rid of that FormMail scripts because they are just too lazy to find a different way of handling forms. I have written a script that will chmod those scripts useless everyday. Just cut and paste this in your cron.daily folder and chmod it 755.

Now everytime this script is run on your server it will change the permissions on all the formmail's located in your /home folder.

If your home folder is in a different location then just change the "sed" line to match the folder they are in.

#!/bin/sh

cd /tmp
echo "#!/bin/sh" > formmail.tmp
locate formmail.pl >> formmail.tmp
locate formmail.cgi >> formmail.tmp

mkdir /tmp/new

domains=`/bin/ls *mail.tmp`
for domain in $domains ; do
sed 's/\/home/chmod 644 \/home/g' $domain > new/$domain
done
mv /tmp/new/formmail.tmp /tmp/new/formmail.sh
chmod 755 /tmp/new/formmail.sh
/tmp/new/formmail.sh
rm -rf /tmp/new
rm /tmp/formmail.tmp

##end

This should give them a hint that everytime they try to upload it and get it working again with a old version or a version that is not setup right it will render it useless.

Good Luck..

We have banned formmail.pl, one site got exposed and 40,000 emails were sent through the system.

We use a custom made PHP script on our own site. As said above it is very easy to create :) Just make sure you hard code the "to" address into the PHP or it can be exploited much easier.