Welcome to WebmasterWorld Guest from 54.221.119.45

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

Possible formmail hijacking

How do I stop it?

     

Kenton

10:45 am on Mar 14, 2006 (gmt 0)

10+ Year Member



Hi

I kept getting junk sent via one of my formmail (widgets.htm) pages. I
assumed it was robots and so rewrote the page as PHP (widgets.php) that
included a captcha check.

I still kept getting the formmail messages from the widgets.htm page.

So I did a 401 redirect from the .htm to the .php

I still kept getting the formmail messages from the widgets.htm page.

I deleted the .htm page and still keep getting them.

Here is the (munged) header from the email

Return-Path: <dhapache@example.com>[i]my host[/i]
X-Original-To: [i]my email address[/i]
Delivered-To: [i]my email mailbox[/i]
Received: from [i]some host[/i] (example.example.com [i]one of my host's
servers[/i][#*$!.#*$!.xxx.xxx][i]my host's ip address[/i])
by mail.example.com (Postfix) with ESMTP id BBA4F11FE72
for <[i]my email address[/i]>; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: by [i]some host[/i] (Postfix, from userid 999)
id A5D329800E; Sun, 12 Mar 2006 01:27:01 -0800 (PST)
Received: from [xxx.xxx.xx.xx] [i]spammers IP[/i]
by formmail.example.com (NMS FormMail 3.14c1)
with HTTP; Sun, 12 Mar 2006 09:27:01 GMT
(script-name /cgi-bin/formmail.cgi)
(http-host formmail.example.com)
(http-referer http://www.example.com/widgets.htm[i]my deleted formmail page[/i])
X-Mailer: NMS FormMail 3.14c1
To: [i]my email address[/i]
From: [i]spammer's supposed email address[/i] (Mike)
Subject: Reciprocal Link
Message-Id: <20060312092701.A5D329800E@peon0034>
Date: Sun, 12 Mar 2006 01:27:01 -0800 (PST)

My host suggests that someone has hijacked my php script, but this was occuring before I brought in the php captcha script.

Can anyone tell me what is happening?

Thanks
Kenton

Jon_King

12:43 pm on Mar 14, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This has been reported much in the last couple of weeks. Pretty much an easy way to stop the vast majority is to ensure your form is not processed unless it is submitted through only your site(s).

Probably the most popular email script to handle this is Matt's email script. Search that and by using it you'll find parameters for allowable domians, if it is not from one of these allowable domains, it doesn't run. There are ways around it but it works most of the time.

Kenton

2:50 am on Mar 15, 2006 (gmt 0)

10+ Year Member



Thanks Jon

I had seen some of this stuff but my host uses NMS FormMail 3.14c1 and so I thought this would have been OK.

I don't have my own formmail script.

I'm still at a loss as to what I'm supposed to do.

Kenton

rainborick

4:20 pm on Mar 17, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Shot in the dark...

Make sure you have also deleted the NMS formmail.cgi script file from your server. There are references in the EMail header that you posted that refer to the formmail.cgi script, not your PHP script.

Jon_King

4:46 pm on Mar 17, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



rainborick is right, make sure that original script is moved or removed. I will also say I played around with escape sequences for form fields and to/from addresses and have not found a single instance where the scrapers parsed it correctly and hence the script wouldn't run. Search 'script encoders', there's plenty of free ones out there. i.e. Encode key parts of the form. I tested several for compatibility between browers and you can sticky me for the one I use if you wish.

Kenton

10:18 am on Mar 20, 2006 (gmt 0)

10+ Year Member



Hi, Thanks.

rainboric, I can't delete the formmail script as it's my host's. I have never installed a formmail script. My host says it's my fault (no support for 3rd party scripts)

I thought that NMS Formmail was secure anyway?

 

Featured Threads

Hot Threads This Week

Hot Threads This Month