homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

Possible formmail hijacking
How do I stop it?

 10:45 am on Mar 14, 2006 (gmt 0)


I kept getting junk sent via one of my formmail (widgets.htm) pages. I
assumed it was robots and so rewrote the page as PHP (widgets.php) that
included a captcha check.

I still kept getting the formmail messages from the widgets.htm page.

So I did a 401 redirect from the .htm to the .php

I still kept getting the formmail messages from the widgets.htm page.

I deleted the .htm page and still keep getting them.

Here is the (munged) header from the email
Return-Path: <dhapache@example.com>[i]my host[/i]
X-Original-To: [i]my email address[/i]
Delivered-To: [i]my email mailbox[/i]
Received: from [i]some host[/i] (example.example.com [i]one of my host's
servers[/i][#*$!.#*$!.xxx.xxx][i]my host's ip address[/i])
by mail.example.com (Postfix) with ESMTP id BBA4F11FE72
for <[i]my email address[/i]>; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: by [i]some host[/i] (Postfix, from userid 999)
id A5D329800E; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: from [xxx.xxx.xx.xx] [i]spammers IP[/i]
by formmail.example.com (NMS FormMail 3.14c1)
with HTTP; Sun, 12 Mar 2006 09:27:01 GMT
(script-name /cgi-bin/formmail.cgi)
(http-host formmail.example.com)
(http-referer http://www.example.com/widgets.htm[i]my deleted formmail page[/i])
X-Mailer: NMS FormMail 3.14c1
To: [i]my email address[/i]
From: [i]spammer's supposed email address[/i] (Mike)
Subject: Reciprocal Link
Message-Id: <20060312092701.A5D329800E@peon0034>
Date: Sun, 12 Mar 2006 01:27:01 -0800 (PST)

My host suggests that someone has hijacked my php script, but this was occuring before I brought in the php captcha script.

Can anyone tell me what is happening?




 12:43 pm on Mar 14, 2006 (gmt 0)

This has been reported much in the last couple of weeks. Pretty much an easy way to stop the vast majority is to ensure your form is not processed unless it is submitted through only your site(s).

Probably the most popular email script to handle this is Matt's email script. Search that and by using it you'll find parameters for allowable domians, if it is not from one of these allowable domains, it doesn't run. There are ways around it but it works most of the time.


 2:50 am on Mar 15, 2006 (gmt 0)

Thanks Jon

I had seen some of this stuff but my host uses NMS FormMail 3.14c1 and so I thought this would have been OK.

I don't have my own formmail script.

I'm still at a loss as to what I'm supposed to do.



 4:20 pm on Mar 17, 2006 (gmt 0)

Shot in the dark...

Make sure you have also deleted the NMS formmail.cgi script file from your server. There are references in the EMail header that you posted that refer to the formmail.cgi script, not your PHP script.


 4:46 pm on Mar 17, 2006 (gmt 0)

rainborick is right, make sure that original script is moved or removed. I will also say I played around with escape sequences for form fields and to/from addresses and have not found a single instance where the scrapers parsed it correctly and hence the script wouldn't run. Search 'script encoders', there's plenty of free ones out there. i.e. Encode key parts of the form. I tested several for compatibility between browers and you can sticky me for the one I use if you wish.


 10:18 am on Mar 20, 2006 (gmt 0)

Hi, Thanks.

rainboric, I can't delete the formmail script as it's my host's. I have never installed a formmail script. My host says it's my fault (no support for 3rd party scripts)

I thought that NMS Formmail was secure anyway?

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved