1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Formmail Security Problem

Discussion in 'Plesk for Linux - 8.x and Older' started by Datastreet, Sep 13, 2005.

  1. Datastreet

    Datastreet Guest

    I have a few clients on my servers using a Formmail.pl script. They are using the latest version of 1.92. It seems like I am getting a ton of failure notices for nonexistant e-mail addresses at the domains. The Spam messages contain the e-mail address in a feedback form multiple times. I have narrowed down that the e-mail is being sent from a few formmail scripts and possibly a PHP problem on one site.

    Has anyone had this kind of experience with FormMail.pl. It looks like people can send mail to any address listed at that domain. I know it won't cause a SPAM problem, but are there any other scripts that work well that don't have this problem?

    I have enclosed an example e-mail with the domain name changed to domain.com and domain.net (ISP):

    i. This is the qmail-send program at domainnet.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <rfribr@domain.com>: does not like recipient.
    Remote host said: 550 5.1.1 <rfribr@domain.com> User unknown; rejecting Giving up on

    --- Below this line is a copy of the message.

    Return-Path: <anonymous@domain.net>
    Received: (qmail 10098 invoked by uid 10024); 12 Sep 2005 18:03:21 -0700
    Date: 12 Sep 2005 18:03:21 -0700
    Message-ID: <20050913010321.10097.qmail@domain.net>
    To: rfribr@domain.com
    From: ()
    Subject: rfribr@domain.com

    Below is the result of your feedback form. It was submitted by
    () on Monday, September 12, 2005 at 18:03:21

    textfield: rfribr@domain.com

    Submit: rfribr@domain.com

  2. timtrott

    timtrott Guest

    FormMail is just a bad idea. There are others out there that are much less problem without the security risk.
  3. Datastreet

    Datastreet Guest

    I appreciate your response.

    Can you list any other ones you recommend?

    I would like to use perl if possible.

  4. timtrott

    timtrott Guest

    I don't like Perl because it's too resource intensive and too easy to be a problem source.

    Check out this one -- http://phpformgen.sourceforge.net. I haven't found it listed in any of the security watchdog sites. The guy who wrote it runs a hosting and programming ISP in Orlando, FL (don't get put off by his name). It generates a new custom php form processing file for each application. My clients really like it.

    If I were you I would ban anything formmail.*
  5. Datastreet

    Datastreet Guest

    Thanks for all your help.

    I will check that out.

    Can you provide me with any security websites that show FormMail as a security problem?

    I would like to show the owner of the ISP I work at....
  6. timtrott

    timtrott Guest