formMail spam?


#1

Has anyone had any problems with the DH formMail script allowing spam submissions? Wondering if there’s a security hole in the formMail script - we’re noticing alot of form submissions that look like spam.


#2

You know what? They are just more spammers that will fill out forms because they know you have the form up for a reason. Heck, there doesn’t have to even be more spammers, just more bots that can find forms or fill out forms automatically. Who needs vulnerability exploits?

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#3

Gosh Atropos7, that’s helpful!

Since the formmail script is set up & maintained by DH (at http://formmail.dreamhost.com/), and they recommned using it, I’d assume that they’d make sure it is secure as possible. Isn’t that the point of them having one form handler script? Otherwise I’d just use my own.

Has anyone else had spam submission problems with the DH formmail script?


#4

Bronwen,

I’m afraid you may have misunderstood what Atropos7 was trying to say. The main point of his post, as I understand it, is that form security is not the problem - the level of spammish activity is such that even a properly secured script that is not being exploited will still collect spam :frowning: .

Using your own will not solve that problem and, unless you are a very proficient and experienced programmer, you are not likely to produce a script as secure as the one that originated with perlmongers and was modified further by DH (which is the pedigree of the DH formmail.cgi) :wink:

–rlparker


#5

There’s a few ways of fixing form spam, none of which are probably available with a standard program. I use three different means of limiting form submissions in my own programming:

  1. There’s usually only one or few local pages that can actually hit a form processing page, so using PHP one can check the $_SERVER[‘HTTP_REFERER’] when processing to make sure the $_POST variables aren’t coming from a non-local site.
  2. By keeping the local browser capabilites file up-to-date and using the PHP “get_browser();” function, one can identify all sorts of nasty client agents and feed them a special “YOU’RE BANNED!!” page once they’ve been detected.
  3. Using spam blacklists to forbid access, also programmable via PHP, but a bit more involved.

As with anything on the Internet, even the best defenses will occasionallly/eventually be breached, but with a few little hacks of my own I can at least make 'em work for it a bit (…and possibly thus make it unworthwhile for 'em).


#6

Good points all, netdcon! Thanks for posting that. :slight_smile:

–rlparker


#7

Thanks netdcon! Very good suggestions.

Usually I use php mailer (http://phpmailer.sourceforge.net/), with a few tweaks, which seems pretty secure.

For sites on DH servers I started using the DH formmail, because I’d assumed it would be more secure.


#8

Your idea of secure is not the same as everyone elses.

The DH formmail script is secure because it does not have flaws or vulnerabilities in it that allow it to be exploited. And by exploited we mean used in a way it was not designed, such as allowing unauthorized access to a computer system.

The script is designed to allow people to submit data and have it emailed to you. Just because you don’t like the data doesn’t make the script less secure. It just means you have a script that is lacking features you would like.

An analogy is a car thief and the passenger that asks “are we there yet” every minute. You invited the passenger - that is not a breach of security - but if you find him annoying, you need to do something to make him stop!

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#9

That was a reasonable assumption, and to my view it is correct.

To follow up on Atropos7’s response, “security” is a different concept than “features”. A formmail script with many user-friendly “features”, such as some defenses against “spamish” emails being sent through it, can still have security flaws that could allow it to be co-opted or exploited to generate spam.

The DH frommail program is “secure”, but makes only limited attempts to “filter” what a user sends to you.

While a spammer sending mail to you via your form is an aggravation, it is an entirely different matter than having an insecure script exploited an used to send hundreds/thousands of spams email via your form across the internet. :wink: .

–rlparker


#10

I have had the same problem as the original poster for several months, leading to many hundreds of spam e-mails sent to me through my web-form (which uses DH formmail script). It was at the point that I, too, worried about a vulnerability and worried that my site was being used to send out spam, so that I contacted DH support and asked them to look into it. They confirmed that the script was not compromised. I think that the initial worry makes sense because it’s hard to imagine why a spammer wants to bombard me with hundreds of repetitive spam e-mails, but I guess that is the case.

Now, however, I received yet another suspicious e-mail through my mail form which seems like someone is at least attempting to hack it. It is as follows (with a redaction of personally identifiable data):

Delivered-To: MYEMAILADDY@gmail.com
Received: by 10.78.131.17 with SMTP id e17cs257269hud;
Thu, 1 Mar 2007 16:38:43 -0800 (PST)
Received: by 10.65.222.11 with SMTP id z11mr4227985qbq.1172795922117;
Thu, 01 Mar 2007 16:38:42 -0800 (PST)
Return-Path: cool_dudette_99@yahoo.com
Received: from randymail-mx1.g.dreamhost.com (sd-green-bigip-83.dreamhost.com [208.97.132.83])
by mx.google.com with ESMTP id 38si11343651nzk.2007.03.01.16.38.41;
Thu, 01 Mar 2007 16:38:42 -0800 (PST)
Received-SPF: neutral (google.com: 208.97.132.83 is neither permitted nor denied by domain of cool_dudette_99@yahoo.com)
Received: from dsl-189-145-51-233.prod-infinitum.com.mx (unknown [189.145.51.233])
by randymail-mx1.g.dreamhost.com (Postfix) with ESMTP id 537C634C7F
for email@MYDHDOMAIN.com; Thu, 1 Mar 2007 16:38:41 -0800 (PST)
Received: from 192.168.0.%RND_DIGIT (203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG]) by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL) (8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: “%FROM_NAME” %FROM_EMAIL@randymail-mx1.g.dreamhost.com
Date: Thu, 1 Mar 2007 16:38:41 -0800 (PST)
To: undisclosed-recipients:;

%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: “%FROM_NAME” <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME

%MESSAGE_BODY

Anyone find this to be of major concern, or is it just more of the same?