Forum Moderators: phranque
This takes me a bit out of my depth... can anyone offer some experience or knowledge regarding the use of FormMail? It is a pretty popular form handler and I for one would like to know if it (or some versions at least) has some security problems.
-----------------------------------------------------
"Just touching base with you re a problem we had with our email yesterday. To cut a long story short, we were getting inundated with returned emails. After discussing the problem with xxxxxx it turned out we were getting spammed through our website's booking/enquiry form.
We were apparently running an older version of FormMail 1.6) which had a security 'hole' allowing them to use us to spam. xxxxx were great and updated the formmail to version 1.9 and fingers crossed, it looks like we're fixed."
------------------------------------------------------
You can protect yourself in several ways:
1) rename the formmail.cgi file to something obscure, and be sure to change your code as well.
2) don't use formmail - since you already have serverside processes going on, investigate sometype of ASP or PhP mail where your code can't be viewed and hacked.
3) use a later version of FormMail which has security against spammers. You can specify which domains can send mail, and if it's not from yours, it will fail.
Sorry you had the problem!
it looks like we're fixed
Some of the fixes, in addition to what txbakers noted, and not necessarily in any order should be:
1. method should be only post. (this won't stop them but it stops a bunch of them)
2. change the name of the variables from standards like 'recipient', to something obscure.
3. the only recipient should be yourself, and no multiple email addresses. I've talked about this issue before. I think that the next attack will be against (send this page to a friend) type emails. In this case, the recipient can be anyone, and if the script allows a message, it's just the same problem as formmail.pl.
4. The crackers leave their own email in your logs. look for recipient=joeblow@yahoo.com in the query string. If the GET to formmail is successful, the message is sent to them and they now know a usable website to spam from. Report anything you see like this to abuse@theirisp.com
Put your email address hard coded into the script, not as a hidden field in the form.
If people have already used your script for spam, I would also change the code to check the email address is either your own or has not been supplied before sending any mail. Otherwise you'll get 100,000 spam emails to yourself! ;)
(and no-one needs that much viagra, or that many diplomas!)
I beg to differ - putting something that looks like an email address *anywhere* on a webpage pretty much guarantees that when an email-scraper hits that page it will spot the address.
The fact that you haven't said "mailto:" before you use the address will only stop the cheapest and most useless of email scrapers, the rest will just use regular expressions to scan the text of the page - when they spot something which *might* be an email they can grab it and test it later.
Aside from that the advice given seems spot on...
- Tony
(and no-one needs that much viagra, or that many diplomas!)
or can have your colon cleansed that many times! or can deal with that many Nigerian businessmen!
2) Your email address will not be on the page as a hidden form element, thus you'll get less spam
