Secure form mail script?
November 29, 2005 7:50 PM Subscribe
Can anyone recommend a secure form mail script?
The current form mail script I have on one of my sites is being hijacked by spammers. Can anyone recommend a good, free, secure form mail script? (I chose a form instead of an e-mail link for contact on my site to avoid GETTING spam, now it turns out I'm inadvertently SENDING it!)
It should allow me to have custom entry fields, and to set a constant subject heading for the resulting e-mail.
The current form mail script I have on one of my sites is being hijacked by spammers. Can anyone recommend a good, free, secure form mail script? (I chose a form instead of an e-mail link for contact on my site to avoid GETTING spam, now it turns out I'm inadvertently SENDING it!)
It should allow me to have custom entry fields, and to set a constant subject heading for the resulting e-mail.
Please be sure to not use the Formmail.pl script from Matt's Script Archive, it has a long history of exactly your problem.
posted by popechunk at 8:15 PM on November 29, 2005
posted by popechunk at 8:15 PM on November 29, 2005
Write your own.
The biggest problem with using 'cookie cutter' scripts is that they naturally have large installed user base which gives spammer a large 'attack surface'. Knowing that formail.pl from Matts Script Archive for instance is an insecure piece of crap (and yes, it is, I played with it, 4 or 5 years ago probably, and it was crap then) means that some spammer can just Google formmail.pl and find 200,000 'targets'.
Write your own - seriously Perl and PHP are trivially easy at that sort of level, and if you have Linux all you need to do is shell out to the 'sendmail' command and make sure you sanitize the arguments... unless someone specifically wants to abuse your script (in which case you have larger problems!) it will never be an issue...
Probably...
posted by BadSeamus at 9:07 PM on November 29, 2005
The biggest problem with using 'cookie cutter' scripts is that they naturally have large installed user base which gives spammer a large 'attack surface'. Knowing that formail.pl from Matts Script Archive for instance is an insecure piece of crap (and yes, it is, I played with it, 4 or 5 years ago probably, and it was crap then) means that some spammer can just Google formmail.pl and find 200,000 'targets'.
Write your own - seriously Perl and PHP are trivially easy at that sort of level, and if you have Linux all you need to do is shell out to the 'sendmail' command and make sure you sanitize the arguments... unless someone specifically wants to abuse your script (in which case you have larger problems!) it will never be an issue...
Probably...
posted by BadSeamus at 9:07 PM on November 29, 2005
Best answer: Seconding the NMS replacement for formmail.pl. And rename it.
posted by Remy at 9:20 PM on November 29, 2005
posted by Remy at 9:20 PM on November 29, 2005
I think you should /not/ write your own unless you're very familiar with HTTP and your chosen scripting language. The whole reason why these things can be exploited is because otherwise well-meaning people write naive scripts that they don't realize are insecure.
For example, what does your script do if the attacker submits a value in the "subject" field that contains "foobar\r\nFrom: someone@example.net\r\nTo: someone@example.net\r\n\r\nspamspamspam"? (Never mind the fact that you can't enter such a value with a web browser, but you can if you craft the form submission manually.) If you just naively used the value of this field without trying to sanitize or quote it, you can end up letting the spammer control all the headers of your message, and thus send spam through your server.
This is precisely what you are experiencing currently. So the solution isn't to replace an insecure script with another insecure script, even if it's named something different. Trust me, it doesn't matter. The spammers will eventually try it, even if you name it something weird and use custom names for all the fields. Don't rely on obscurity, make the script secure.
posted by Rhomboid at 1:51 AM on November 30, 2005
For example, what does your script do if the attacker submits a value in the "subject" field that contains "foobar\r\nFrom: someone@example.net\r\nTo: someone@example.net\r\n\r\nspamspamspam"? (Never mind the fact that you can't enter such a value with a web browser, but you can if you craft the form submission manually.) If you just naively used the value of this field without trying to sanitize or quote it, you can end up letting the spammer control all the headers of your message, and thus send spam through your server.
This is precisely what you are experiencing currently. So the solution isn't to replace an insecure script with another insecure script, even if it's named something different. Trust me, it doesn't matter. The spammers will eventually try it, even if you name it something weird and use custom names for all the fields. Don't rely on obscurity, make the script secure.
posted by Rhomboid at 1:51 AM on November 30, 2005
Are you getting spam coming out of your robot Johnny site which is running WordPress 1.5? Reason I ask is that my hosts have shut down my mail server, due to millions of spam being sent from it, although my site *only runs WordPress 1.5* so I'm at a complete loss as to where the vulnerability is - or how to patch it.
Sorry I can't help - just looking for vindication that I'm not going mad!
posted by Pericles at 3:41 AM on November 30, 2005
Sorry I can't help - just looking for vindication that I'm not going mad!
posted by Pericles at 3:41 AM on November 30, 2005
Response by poster: Pericles, no the spamming was happening through another site of mine, which although it also uses Wordpress 1.5, also had a form mail script. I know it was the form mail, because I would get return error messages from ISPs with messages attached that had the subject and other variables specific to that form.
Thanks for the help everyone!
posted by Robot Johnny at 7:11 AM on November 30, 2005
Thanks for the help everyone!
posted by Robot Johnny at 7:11 AM on November 30, 2005
This thread is closed to new comments.
posted by thebabelfish at 8:10 PM on November 29, 2005