Form Handler SPAM issue....
I am still scratching my head here....maybe someone here has an answer for me.
I have a little server with less than 40 sites on it. In January I got notice that a form handler had been compromised and was being used to spew spam all over the net. The handler was located and promptly deleted. The rest of the server was checked and of the 3 sites using some sort of form handler none were an issue and presumed to be secure.
Then Saturday I get another notice that spam is being spewed thru my server. The form handlers have been tested again and I haven't been able to find the leak.
Now I have heard time and time again that Matt's Script is not secure however I have been running the newest version and haven't had a problem with it and upon testing it it seems to be functioning as it should (not sending mail to anyone that hasn't been specified in the script itself)
Am I missing something here?
using an unassigned e-mail address
mairving posted this at 22:13 — 18th February 2003.
They have: 2,256 posts
Joined: Feb 2001
It could be someone using your mailserver as a relay. What kind of system is it (2000, 'nix)?
Busy posted this at 22:14 — 18th February 2003.
He has: 6,151 posts
Joined: May 2001
If your using a script that allows people to see whats happening via the URL you'll always have trouble, Just looking at your source code I can see how easy it would be to spam.
Use a server side script like PHP, ASP etc that you can validate the contents (don't use javascript) and even set limits on posting messages without any of it being seen.
formmail isn't very secure and the older versions get hacked all the time because anyone can go to your server and do a request in the URL and get your details or set stuff. My host has had so many people being attacked via formmail, formmail is no longer allowed, unless its the latest version with addons.
things you don't want in your forms are recipient, redirect, required or any other hidden value.
so thats two ways of breaking your code, via a request and via your hidden tags
Rayna posted this at 22:37 — 18th February 2003.
They have: 115 posts
Joined: Feb 2000
mairving - I am using a linux box with Ensim
Busy - Forgive me this is not my area at all so please be patient. Can you explain to me how seeing what happens via URL makes the script more vulnerable?
I don't allow form handlers on my server either really....there are a few but they are in php and not an issue. This one was MINE that everyone on my server was using. I figured at least I would have control over it if there were issues.
Mark Hensler posted this at 01:57 — 19th February 2003.
He has: 4,048 posts
Joined: Aug 2000
If someone sees in the HTML source code, or in the GET querystring, a 'To' or 'Recipient' email address. They can send fake requests to the server with different headers.
For example. If you have a script (on contactus.html) that has a hidden field called "to_email" and a default value of "[email protected]". Your form sends it's data via POST to (action) "contactus.php". Additional fields called "from_email", "from_name", "message". Then I could spam your form like so:
First, create some fake HTTP Request headers:
POST /contactus.php HTML/1.1
Connection: Keep-Alive
User-Agent: You've been had.
Accept-Language: en-US
Referrer: <a href="http://your.coom/contactus.html" class="bb-url">http://your.coom/contactus.html</a>
[email protected]&[email protected]&from_name=Sucker&message=This is my spam email. Muhahaha!
Now imagine I dropped this functionality into a program with an email database. I simply loop through thousands of emails, sending off spam email using your complementary mail services to do my dirty work.
And, the recipients can only trace it back to you. In order to catch me, you have to examine your access_log files (from apache) to get an IP. Then you have to find who owns the IP, and who had the IP at the time of the incident (easy for static IP, harder for dynamic IP).
Mark Hensler
If there is no answer on Google, then there is no question.
Rayna posted this at 04:17 — 19th February 2003.
They have: 115 posts
Joined: Feb 2000
Thank you for the explanation Mark.
So since the form handler I am currently using will never be secure can anyone recommend a form handler I can switch to that will not be vulnerable to spam?
Thanks again Mark!!
Mark Hensler posted this at 06:22 — 19th February 2003.
He has: 4,048 posts
Joined: Aug 2000
Simply hard code the recipient email. When your contactus.html form submits to contactus.php, have the "To" email hardcoded in the PHP code, and remove the hidden field from your form.
<?phpmail(\"[email protected]\", $subject_from_form, $message_from_form, \"From: $from_name <$from_email>\");
?>
Mark Hensler
If there is no answer on Google, then there is no question.
Rayna posted this at 06:33 — 19th February 2003.
They have: 115 posts
Joined: Feb 2000
Thanks Mark! I really appreciate all the help!
Wil posted this at 09:50 — 19th February 2003.
They have: 601 posts
Joined: Nov 2001
Rayna,
Matt's Script Archive has been totally secured now and relaunched under a new name. Thanks for the London Perl Mongers groups, they've developed a totally secure versions of all his scripts that can be a "drop-in" replacement. You don't have to edit anything on your site.
Check out:
http://nms-cgi.sourceforge.net/
For more information.
- wil
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.