Spam using formmail.pl (Alert!!) - GoFuckYourself.com

sans · 06-24-2001, 11:51 AM

Many of us use formmail.pl in our servers.

Widely used FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously. - March 16, 2001
For a full description see http://securitytracker.com/alerts/2001/Mar/1001108.html

A patched version of this script with the anti-spam fix is available at http://www.mailvalley.com/formmail/
The modified version of this formmail perl script, allows you to specify a list of recipients in a text file, who are authorized to receive emails. So the script will only send mail to addresses listed in this file thus providing spam protection.

Hope this information will be of use to webmasters and webhosting providers.

If anyone has a different solution to this problem, let me know.

surreal · 06-24-2001, 12:09 PM

Date: Mar 16 2001 05:31 (UTC/GMT)

No offense, but it's pretty damn old and well known, and isn't really a security hole.

------------------
surreal. freetgp.

Susan · 06-24-2001, 12:19 PM

If a script like this does not check HTTP_REFERER (your server address) then don't use it. A simple check like this can stop remote access.
http://www.dtp-aus.com/ has a good secure mailing script with tons of features.

pr0 · 06-24-2001, 12:29 PM

Check this out...most of the programs the spammers use to abuse your formmail use "Recipient" to send the mails. Setting the refer ip security does nothing, since refer information can be faked or non-existent. So as a quick fix...change the script to "Boogy" as opposed to "recipient" then make the changes to your html =)

This wont stop them all, but it'll stop the ones using pre-made spam programs.

------------------

CelebrityDialers.com - 45-cents (webmasters) to 90-cents (resellers)
Sometimes when i'm watching a sunrise..i think damn...That'd be a phat java applet!

pr0 · 06-24-2001, 12:33 PM

Oh yea also, on that security report at http://securitytracker.com/alerts/2001/Mar/1001108.html they say the true ip of the spammer can be found in the server logs, but not the e-mail. Sure if the spammer was stupid enough not to use a simple HTTP open proxy.

Here's a list...lolol

12.23.198.32:8080
12.24.124.3:80
12.24.124.4:80
12.24.149.202:8080
12.24.192.50:8080
12.24.198.14:8080
12.24.248.3:80
12.24.248.13:80
12.24.248.13:8080
12.24.248.14:80
207.1.18.243:8080
207.1.219.222:80
207.2.12.42:80
207.2.12.46:80
207.2.12.58:80
207.2.54.2:80
207.3.16.200:80
207.3.92.252:80

I wonder how long it'd take them to find out that those ip's arent the spammers true ip =)

------------------

CelebrityDialers.com - 45-cents (webmasters) to 90-cents (resellers)
Sometimes when i'm watching a sunrise..i think damn...That'd be a phat java applet!

06-24-2001, 11:51 AM	#1
sans Registered User Join Date: Jun 2001 Posts: 1	Spam using formmail.pl (Alert!!) Many of us use formmail.pl in our servers. Widely used FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously. - March 16, 2001 For a full description see http://securitytracker.com/alerts/2001/Mar/1001108.html A patched version of this script with the anti-spam fix is available at http://www.mailvalley.com/formmail/ The modified version of this formmail perl script, allows you to specify a list of recipients in a text file, who are authorized to receive emails. So the script will only send mail to addresses listed in this file thus providing spam protection. Hope this information will be of use to webmasters and webhosting providers. If anyone has a different solution to this problem, let me know.

06-24-2001, 12:29 PM	#4
pr0 rockin tha trailerpark Industry Role: Join Date: May 2001 Location: ~Coastal~ Posts: 23,088	Check this out...most of the programs the spammers use to abuse your formmail use "Recipient" to send the mails. Setting the refer ip security does nothing, since refer information can be faked or non-existent. So as a quick fix...change the script to "Boogy" as opposed to "recipient" then make the changes to your html =) This wont stop them all, but it'll stop the ones using pre-made spam programs. ------------------ CelebrityDialers.com - 45-cents (webmasters) to 90-cents (resellers) Sometimes when i'm watching a sunrise..i think damn...That'd be a phat java applet!

06-24-2001, 12:33 PM	#5
pr0 rockin tha trailerpark Industry Role: Join Date: May 2001 Location: ~Coastal~ Posts: 23,088	Oh yea also, on that security report at http://securitytracker.com/alerts/2001/Mar/1001108.html they say the true ip of the spammer can be found in the server logs, but not the e-mail. Sure if the spammer was stupid enough not to use a simple HTTP open proxy. Here's a list...lolol 12.23.198.32:8080 12.24.124.3:80 12.24.124.4:80 12.24.149.202:8080 12.24.192.50:8080 12.24.198.14:8080 12.24.248.3:80 12.24.248.13:80 12.24.248.13:8080 12.24.248.14:80 207.1.18.243:8080 207.1.219.222:80 207.2.12.42:80 207.2.12.46:80 207.2.12.58:80 207.2.54.2:80 207.3.16.200:80 207.3.92.252:80 I wonder how long it'd take them to find out that those ip's arent the spammers true ip =) ------------------ CelebrityDialers.com - 45-cents (webmasters) to 90-cents (resellers) Sometimes when i'm watching a sunrise..i think damn...That'd be a phat java applet!

06-24-2001, 12:09 PM	#2
surreal Registered User Join Date: Jun 2001 Location: Netherlands Posts: 21	Date: Mar 16 2001 05:31 (UTC/GMT) No offense, but it's pretty damn old and well known, and isn't really a security hole. ------------------ surreal. freetgp.

06-24-2001, 12:19 PM	#3
Susan Confirmed User Join Date: Feb 2001 Location: Amost UK central Posts: 772	If a script like this does not check HTTP_REFERER (your server address) then don't use it. A simple check like this can stop remote access. http://www.dtp-aus.com/ has a good secure mailing script with tons of features.