hwg-techniques archives Oct 2002 new search results previous next

Re: Formmail and spam attack

by Charles A Upsdell <cupsdell(at)upsdell.com>

 Date:  Tue, 22 Oct 2002 15:54:27 -0400
 To:  hwg-techniques(at)hwg.org
 Cc:  custom <custom(at)desktoppub.com>
 In-Reply-To:  rr
  todo: View Thread, Original 

>This weekend I made the unpleasant discovery that a spammer was
>apparently using a formmail script on my client's site to send out porno
>spam. Thousands of messages went out, all with my client's return
>address.
>
>The tech folks at the hosting company said spammers can exploit a
>weakness in formmail to launch their email. They recommended upgrading my
>version (I had 1.9 and I found 1.92 at Matt's Script Archive).
>
>Has this happened to anyone here? Is the recommendation I received
>sufficient or are there other steps I should take?


Yeah, this happened to me.

There are several steps you can go through:

1.  Rename the .pl file:  the spammers are specifically looking for 
formmail.pl.

2.  Install the most recent version of formmail.pl.

3.  Make a simple change that hard-codes the recipient(s) in the .pl file 
itself.  For example, what I did was change the recipient email addresses 
within the form to a code, e.g. '-', 'bn', 'sn' etc., then change the .pl 
file to map the codes into the correct email addresses.  The way I did this 
was:

search formmail.pl for this perl code:

     # The next six lines remove any extra spaces or new lines from the       #
     # configuration variables, which may have been caused if your editor     #
     # wraps lines after a certain length or if you used spaces between field #
     # names or environment variables.                                        #
     $Config{'required'} =~ s/(\s+|\n)?,(\s+|\n)?/,/g;
     $Config{'required'} =~ s/(\s+)?\n+(\s+)?//g;
     $Config{'env_report'} =~ s/(\s+|\n)?,(\s+|\n)?/,/g;
     $Config{'env_report'} =~ s/(\s+)?\n+(\s+)?//g;
     $Config{'print_config'} =~ s/(\s+|\n)?,(\s+|\n)?/,/g;
     $Config{'print_config'} =~ s/(\s+)?\n+(\s+)?//g;

after this, insert:

         # Set recipient per code in original recipient field
         {
         my $temp;
         my %recipients =
           (
                 '-'     => 'mailbox',           #Customize this
                 'bn'    => 'browser-news',      #Customize this
                 'sn'    => 'security-news',     #Customize this
                 'wm'    => 'webmaster',         #Customize this
           );
         $Config{'recipient'} = ( $temp = $recipients{$Config{'recipient'}} 
) ? $temp.'(at)upsdell.com' : '-';
         }

change the %recipients hash to specify your lists of codes and email 
addresses, and change the domain name in the last line (upsdell.com) to the 
one you need.

replace the email addresses in your HTML to the appropriate codes.

With this change, spammers can't hi-jack formmail.pl.  If they call 
formmail.pl with a recipient list, formmail.pl will determine that the 
recipient list is not one of the codes, and map the recipient to an invalid 
email address.

The other advantage of this is that email addresses no longer appear in the 
HTML file, so spammers who search HTML files for email addresses will find 
none:  this reduces the amount of spam the recipient(s) will receive.

[]  HTH, Chuck Upsdell

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA