1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Formmail Security Problem

Discussion in 'Plesk for Linux - 8.x and Older' started by Datastreet, Sep 13, 2005.

  1. Datastreet

    Datastreet Guest

    I have a few clients on my servers using a Formmail.pl script. They are using the latest version of 1.92. It seems like I am getting a ton of failure notices for nonexistant e-mail addresses at the domains. The Spam messages contain the e-mail address in a feedback form multiple times. I have narrowed down that the e-mail is being sent from a few formmail scripts and possibly a PHP problem on one site.

    Has anyone had this kind of experience with FormMail.pl. It looks like people can send mail to any address listed at that domain. I know it won't cause a SPAM problem, but are there any other scripts that work well that don't have this problem?

    I have enclosed an example e-mail with the domain name changed to domain.com and domain.net (ISP):

    i. This is the qmail-send program at domainnet.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <rfribr@domain.com>: does not like recipient.
    Remote host said: 550 5.1.1 <rfribr@domain.com> User unknown; rejecting Giving up on

    --- Below this line is a copy of the message.

    Return-Path: <anonymous@domain.net>
    Received: (qmail 10098 invoked by uid 10024); 12 Sep 2005 18:03:21 -0700
    Date: 12 Sep 2005 18:03:21 -0700
    Message-ID: <20050913010321.10097.qmail@domain.net>
    To: rfribr@domain.com
    From: ()
    Subject: rfribr@domain.com

    Below is the result of your feedback form. It was submitted by
    () on Monday, September 12, 2005 at 18:03:21

    textfield: rfribr@domain.com

    Submit: rfribr@domain.com

  2. timtrott

    timtrott Guest

    FormMail is just a bad idea. There are others out there that are much less problem without the security risk.
  3. Datastreet

    Datastreet Guest

    I appreciate your response.

    Can you list any other ones you recommend?

    I would like to use perl if possible.

  4. timtrott

    timtrott Guest

    I don't like Perl because it's too resource intensive and too easy to be a problem source.

    Check out this one -- http://phpformgen.sourceforge.net. I haven't found it listed in any of the security watchdog sites. The guy who wrote it runs a hosting and programming ISP in Orlando, FL (don't get put off by his name). It generates a new custom php form processing file for each application. My clients really like it.

    If I were you I would ban anything formmail.*
  5. Datastreet

    Datastreet Guest

    Thanks for all your help.

    I will check that out.

    Can you provide me with any security websites that show FormMail as a security problem?

    I would like to show the owner of the ISP I work at....
  6. timtrott

    timtrott Guest