Formmail has a long history of abuse by SPAMmers. There are even some realtime-blacklist banning mail-traffic from sites running formmail altogether. Basically, older versions of Formmail made it extremely easy for SPAMmers to use your site to send SPAM to other people, and everyone will think you are the culprit.

Some "script kiddies" and SPAMmers run freely available scanners to bulk-check sites for vulnerable formmail scripts. That's where your hits are coming from...

However, Matt did quite a lot of security improvements over the last two years or so. I guess the recent versions of formmail do a decent job in terms of security. Just make sure you get a recent version - if you are paranoid use the last-but-one, but I guess the last version will do as well. Just keep in mind: formmail is one of the most-used mailscripts, so there's a huge crowd of testers out there.

As for the security reasons: make sure you enter all security information regarding on WHAT site the script is allowed to run (both in canonical as well as in IP address) and on WHO is a valid recipient for these mails. Keep it as restrictive as possible.

When you loead formmail into the editor, you will clearly see where configuration is required, and where not.

Oh, one thing: formmail seems to be picky about the case of your variables. So if e.g. you have a required variable "company", then make sure the fieald AND the entry in the "required" setting have the same name...

The Formmail documentation is spartanic and sometimes a bit fuzzy, but everything you need is in the docs.

But REALLY make sure you have a recent version!

The formmail script has been completely installed and set up by the hosting company, they should have all of this under control, right?

Yeah, hopefully...

The most recent version is 1.92, the minimum version to use should be 1.91. The most common, still installed version is 1.6 and that one is HIGHLY insecure.

Just enter [yourdomain.com...] (or wherever they installed it for you)to see what version is installed.

Do you have a way to look at the actual script? If not, you have to fully trust your ISP in order to set the recipient/sender/domain variables right. And they are the most critical ones...

No I cant inspect the script :(

Looks like I have to let them look after it!

Craig

>>> The formmail script has been completely installed and set up by the hosting company, they should have all of this under control, right?

I would check it, I have had problems with it before.

Its pretty straightforward to set up, it just looks a bit daunting when you first open up in a text editor

Karl :)

Ok I am looking at it in notepad, I see:

$recipient = "default\@mydomain.com"

What am I looking for?

craig:

I personally would not prefer such a solution, but I know that pre-hosted formmails are quite common.

Did you check into the version number?

There's actually only TWO critical variables:

@referers = ('company.com','192.168.1.1');

These are the server(s) the script is allowed to be executed from. List as FEW as possible. Prefer to list only the canonical name. If you only list the IP address, all other virtual servers on that IP can access your script! So if you list the IP be sure what you're doing!

@recipients = &fill_recipients('feedback@company.com', 'company.com');

These are the ONLY valid recipients of your forms. Again, list as few as possible. Only list a whole domain (second part in my example) if there's really a need for it. If you only have 1-3 valid recipeints for your forms, list them with their specific mailadresses. EVERYBODY in the recipient-entry can still be subject to SPAMmers.

$recipient = "default\@mydomain.com"
What am I looking for?

The syntax of this line makes me wonder if the version is recent enough. Check the head of the file, is there something like:

#!/usr/bin/perl
###############################################
# FormMail Version 1.xx

where "xx" is hopefully 1.91 or higher? If not, you should REALLY, REALLY try to get them to update their formmail.

The recipient line means in your quote says, that all form submissions are sent to the user default@mydomain.com. That's quite OK - make sure that user exists though or have it pointed to an existing email address.

However you need that @referers entry as well. If it is not present, the formmail is outdated.

Doesnt give me a version number anywhere on the page.

I put it in Dreamweaver MX, it formats it for me then into readable mess.

I will email the support desk to see what version they are running.

Craig

>> is hopefully 1.91 or higher?

Actually the most recent secure version is 3.09c1. It's the London Perl Mongers version "NMS FormMail" available through Sourceforge.

Download and replacement strongly recommended, link here: [nms-cgi.sourceforge.net...]

It's a "drop-in" replacement for Matt's they say... As it is perl, you still have to modify the script to suit your needs, but it's safer.

That host - these days people get criminal investigations, fines and serve jail-time for less than placing anything on other peoples domains, let alone insecure scripts ... and they're even the host?! Shame on them i say.. pick another if you can and let them run out of business.

/claus

they should have all of this under control, right?

A control panel activated script is done automatically and I have my doubts as to the ability to secure a script in this manner.

I know of a host that had a spam problem because of these control panel scripts, and the owner was so shaken he threatened to take down everybody's access to sendmail.

If the host allows access or creation of your own cgi-bin I would encourage you to deactivate the control panel script and download the perlmongers version, or an alternate version that has more features like bformmail (or the big nose script that lots of folks like) and set it up in there.

If you're worried about spam, I can't see how it can't get any safer than configuring it yourself.