• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Formmail Security Problem

D

Datastreet

Guest
I have a few clients on my servers using a Formmail.pl script. They are using the latest version of 1.92. It seems like I am getting a ton of failure notices for nonexistant e-mail addresses at the domains. The Spam messages contain the e-mail address in a feedback form multiple times. I have narrowed down that the e-mail is being sent from a few formmail scripts and possibly a PHP problem on one site.

Has anyone had this kind of experience with FormMail.pl. It looks like people can send mail to any address listed at that domain. I know it won't cause a SPAM problem, but are there any other scripts that work well that don't have this problem?

I have enclosed an example e-mail with the domain name changed to domain.com and domain.net (ISP):

i. This is the qmail-send program at domainnet.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
208.189.49.85 does not like recipient.
Remote host said: 550 5.1.1 <[email protected]> User unknown; rejecting Giving up on 208.179.47.75.

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 10098 invoked by uid 10024); 12 Sep 2005 18:03:21 -0700
Date: 12 Sep 2005 18:03:21 -0700
Message-ID: <[email protected]>
To: [email protected]
From: ()
Subject: [email protected]

Below is the result of your feedback form. It was submitted by
() on Monday, September 12, 2005 at 18:03:21
---------------------------------------------------------------------------

textfield: [email protected]

Submit: [email protected]

---------------------------------------------------------------------------
 
FormMail is just a bad idea. There are others out there that are much less problem without the security risk.
 
I appreciate your response.

Can you list any other ones you recommend?

I would like to use perl if possible.

Thanks
 
I don't like Perl because it's too resource intensive and too easy to be a problem source.

Check out this one -- http://phpformgen.sourceforge.net. I haven't found it listed in any of the security watchdog sites. The guy who wrote it runs a hosting and programming ISP in Orlando, FL (don't get put off by his name). It generates a new custom php form processing file for each application. My clients really like it.

If I were you I would ban anything formmail.*
 
Thanks for all your help.

I will check that out.

Can you provide me with any security websites that show FormMail as a security problem?

I would like to show the owner of the ISP I work at....
 
You must log in or register to reply here.

Similar threads

K
Question Mail not sended.
Replies
2
Views
1K
klamort
K
M
Resolved Failed to update the Panel (due to autoinstall.plesk.com server problems)
Replies
6
Views
4K
mow
M
T
Mailman - no such list
Replies
1
Views
2K
Tibor Szentmarjay
T
P
Issue Mails always end up in spam
Replies
0
Views
1K
PhALDan
P
knightsystems
Issue Internal Error cannot receive&send e-mails
Replies
6
Views
4K
mr-wolf
M
Back
Top