On 8/4/01, Len Conrad penned:
>But if not SMTP AUTH, then you can see why you should force all your
>IP�s to SMTP AUTH so every mail relay session is traceable. The "no
>relay" (unless SMTP AUTH�d) is really better than "relay for
>addresses".
Well, I figured it out. There is (was) a HUGE security hole in
FormMail.pl which allows mail to be sent with a blank referer, either
using a POST or a GET. It was fixed a day or 2 ago in version 1.9,
which hadn't yet been ported to NT. I hacked my NT version 1.6 to
include the new security features of 1.9 (UNIX). If anyone is using
FormMail version earlier than 1.9, along with DevMailer, I'll be glad
to send you the version I've got. You can now specify valid domains,
and/or e-mail addresses that mail can be sent to. Any others return
an "empty recipient" error.
If you want to play with it:
http://www.twcreations.com/formmail.html
Emter any e-mail address @twcreations.com, or
[EMAIL PROTECTED] and it should go through. Anything else,
forget it.
--
Bud Schneehagen - Tropical Web Creations
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
ColdFusion Solutions / eCommerce Development
[EMAIL PROTECTED]
http://www.twcreations.com/
954.721.3452
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
