Results 1 to 10 of 10
  1. #1

    Question Insecure FormMail.pl, need a form script

    I'm using Matt Wright's FormMail.pl CGI script but it is insecure contact form:

    http://www.monkeys.com/formmailer/about.html

    both old versions and even the latest version of the FormMail.pl script are a very bad thing to have installed anywhere on any of your web servers.
    Need to switch to a better solution, please need some advice...

  2. #2
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,090
    Here's a nice one: http://www.dagondesign.com/articles/...mailer-script/

    Takes a little playing with to configure, but it's darn good.
    Your one stop shop for decentralization

  3. #3
    Quote Originally Posted by bear View Post
    Here's a nice one: http://www.dagondesign.com/articles/...mailer-script/

    Takes a little playing with to configure, but it's darn good.
    Thanks, looking into right now..notice a lot of features...

  4. #4
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    If you'd prefer a direct replacement for Matt's formmail, the nms version is secure and well-written.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  5. #5
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,481
    I have heard many times for the exploits on this form. Shouldn't that guy call it a quit with MailForm? anyway

  6. #6
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Matt did stop developing these scripts some years back, and now recommends the nms versions. I think the problem is that they were so popular in their day that there are still many old ones floating around...
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  7. #7
    I'm using NMS FormMail Version 3.11c1 in all my forms....

    Description: someoen is sending messages to my cell from an account anabelle@xxxx.com please do not send anything to my cell because I'm being cherged for those messages.
    I received this notification early today, I trying to figure out what kinda exploit it is.
    I checked the form NMS what maybe it is the cause. Still do not have a header of a spam email. First step I disabled the forms while gathering for clues.

    Advice always is appreciated

  8. #8
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,090
    It's impossible to tell if the spam originated from that form script without seeing the headers. More likely someone is faking the origin of the messages instead.

    I'd used the NMS version until fairly recently when a few sites were being spammed mercilessly by someone (or more than one) that had been submitting automatically to it. Sure, it wasn't sending out to anyone but the hard coded recipients....but they were getting harassed daily by it. Switched to PHP, and captcha, no more issue.
    Your one stop shop for decentralization

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Spammers almost invariably spoof the sender - you need the messages before concluding anything. If they are coming from your formmail program, check the config - it should only send to addresses explicitly allowed there.

    Edit:
    I'd used the NMS version until fairly recently when a few sites were being spammed mercilessly by someone (or more than one) that had been submitting automatically to it. Sure, it wasn't sending out to anyone but the hard coded recipients....but they were getting harassed daily by it.
    Me too, but I added a captcha to nms formmail.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  10. #10
    <<why not>> make your own..<<snipped>>
    This is simple make a html form with the get or post method, and make set it to sendmail.php(or whatever you name your php file), and then make a php page to validate the input's and send the email, EZ PZ stuff.

    GG
    Last edited by bear; 01-02-2008 at 09:37 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •