Form mail script used as open relay

I recently disabled an old form mail script at work, because it was vulnerable to spammer abuse. I would like some advice on patching the script. If there is no fix, can anyone recommend a safe, alternative script I can use?

Not wishing the previously mentioned problem to happen to my personal site (happily hosted by DH), I would like to know if DH’s form mail script is safe from being (mis)used as an open relay.


This is linked to from another discussion here about formmail scripts …
Anonymous Mail Forward Vulnerabilities in FormMail 1.9

The most important part is not to allow someone to submit data to the program that will interfere with the structure of the message you are sending. Even then you have to take into account how mail processing software will interpret the message headers. And make sure your implementation of security measures is not flawed. You may wish to log user-provided data that in whole or in part is used in the messages headers - that way when monitoring the script activity you can see if anyone was actually attempting to abuse the script since web server logs don’t record data submitted in forms.

:cool: Perl / MySQL / HTML+CSS

I recommend the nms-cgi version if you want to setup your own. Don’t forget to completely disable (or remove) any old scripts.

It is a shame my lack of knowledge in this area prevents me from fully understanding Atropos’ advice; nonetheless, I do appreciate his time and help just the same. Thanks, Bob, for confirming DH’s form mail script is safe to use; and also thankyou Will for the script recommendation, which will help me resolve the problem at my workplace.

On the topic of formmail scripts and abusers of them, I just got hit today by a particular ip addy (ahem, searching for any formmail scripts on my site. Using DreamHosts script does make me feel safer about having web forms, even after a thing like this, since I have yet to receive a bounced spam message or e-mail from angry people who’ve been spammed by my address. DH’s script is a true sanity-saver.


I am relieved to hear that, Michelle. :slight_smile:
Do PHP form processors have the same security weakness?

Wow! That is a looong list- yuck! At least now you can block those ip’s. I used to have a php script that did just that, and there are some ways (haven’t tried any) to send them on an endless loop. Problem is the ip list just keeps on growing, and these people will just move on the next domain and the next.

As far as php formmail being vulnerable, yes it is. Someone hijacked my mail script not too long ago. This was a php version modified from MW’s cgi formmail script, and supposedly was very safe to use. It was supposed to block anyone from outside my domain from running it. Yah, right! So it was bye-bye to any mail scripts for a while. External form services are inconvenient, but might be worth looking into for someone that doesn’t have a host-wide script available. And e-mail links still do the job too, just use a javascript to hide these from harvesters.


Slightly off topic, I wrote a PHP form mail type script tutorial, if anyone would like it it can be found here: you can add extra fields to it if you add more form elements and variables etc. If anyone wants to use it and needs help setting up extra fields you can use a form to email me

[quote]I am relieved to hear that, Michelle. :slight_smile:
Do PHP form processors have the same security weakness?


I’m not familiar with specific form processors, but it’s as Bob said: Probably.

This is more of a “coding style” and “lazy programmer” issue than anything language-specific, though in my experience PHP makes it easier to be a lazy programmer and use poor coding style - though that has improved significantly in more recent versions - and yes, I do most of my coding in PHP these days so don’t just assume I’m a crotchety Perl programmer. :>

Part of it also has to do with the unintended audience for these types of scripts: Spammers are wily individuals with few moral compunctions, and if there’s even a minor/obscure hole in a popular script they’ll probably find it eventually.

The moral of the story for programmers is this: Check your input and be very picky as to what you trust! :>

  • Jeff @ DreamHost
  • DH Discussion Forum Admin