Heeelp!


#1

Hi all,
I’ve been a DH customer for 6 years now, but never used the forum (duh)… anyway, hello all, and I need your help! I’m getting this message from a form on my clients website:

“Bad Referrer - Access Denied
The form attempting to use this script resides at http://www.aliconferences.com/register.htm, which is not allowed to access this program.
If you are attempting to configure FormMail to run with this form, you need to add the following to @referers, explained in detail in the README file.
Add ‘www.aliconferences.com’ to your @referers array.”

Now, this form has worked and I have not changed anything. How do I fix it and anyone know how this could happen?

Thanks!


#2

FormMail got updated, I hope. FormMail has to be the most abused script on the Internet.

Sounds like now it’s making sure you’re coming from the correct website before submitting the form.

One of the issues with the FormMail script is that it’s being abused (extensively) to send out spam. If you can use another form, please do. If your email isn’t hard coded in the script, please do that asap.

When I see somebody running FormMail, I cringe…I hope you have it properly secured…


yerba# rm -rf /etc
yerba#


#3

[quote]Sounds like now it’s making sure you’re coming from the
correct website before submitting the form.

[/quote]

We actually patched our form-mail implementation years ago for this very reason. As far as I know our script has not been abused/exploited in years.

  • Jeff @ DreamHost
  • DH Discussion Forum Admin

#4

You do know that the HTTP_REFERER is easily changeable, right? It’s not a secure way to stop exploitation. :slight_smile:

The only way to properly secure a form-mail script is to force the “To:” address into the script and remove any and all new lines from fields you do not expect new lines (email address, subject … anything but the main body).


yerba# rm -rf /etc
yerba#


#5

So Jeff, How do I fix this problem? According to the error I get

( If you are attempting to configure FormMail to run with this form, you need to add the following to @referers, explained in detail in the README file.
Add ‘www.aliconferences.com’ to your @referers array. )

where do I find this READ ME file, and where do I add the www.aliconferences.com to the @referrers array?!?

Thanks!


#6

Is the domain in question actually being hosted by Dreamhost? A whois lookup says it’s being hosted by SBC/Ameritech ( http://whois.domaintools.com/aliconferences.com ) I’d imagine this is why you’re getting the error, because the script is doing its job and rejecting requests from domains not hosted by DH.

If the hosting was just transferred to DH, it’s probably not going to work until the nameserver change propagates. If your client was supposed to make that change, you might want to check that they actually did it.


#7

No, its not hosted my dreamhost. It is SBC. I just don’t know why all of a sudden the script isn’t working. I’ve got the form being submitted to an e-mail addy on my website, and it’s forwarded to my clients e-mail Up until yesterday, it was working fine!
I just don’t understand how it all works, and I’m confused!
Thanks for the reply.


#8

It was changed to prevent exactly what you were doing:

[quote]
[/quote]
You see, spammers use FormMail.cgi as vessel for sending spam. See, what they do is create a script, on another site, pointing to “formmail.cgi” and they submit THOUSANDS of requests changing “recipient” for each one.

Tada! Virtually untraceable spam bot!

So, unless you have direct access to formmail.cgi don’t expect it to work. :slight_smile:

How to fix it: edit formmail.cgi, look for the variable @referers, and add your domain into that variable. Should look something like:
@referers = (‘mydomain.com’, ‘anotherdomain.com’);

That’s the only way to fix this … (really … uh huh … hmm,. Jeff, your folks really should put in a fool proof fix. :wink: )


yerba# rm -rf /etc
yerba#


#9

teehee … If your script still accepts the “To:” address within a hidden field, I can assure you, it’s still being exploited. :slight_smile:


yerba# rm -rf /etc
yerba#


#10

I recently added a subdomain (about a day ago) that has a formmail forms on it. Unfortunately, I’m still getting this error when I submit a form from it. Also, submitting forms from sites like Facebook and MySpace used to work using the “” line, but now it doesn’t.

I don’t think us mortal users have access to “formmail.cgi”, so how do we go about fixing this error?


#11

My domains are hosted here… still same error, still not FIX for this?

I’ve submitted a ticket and I’ll post any fix here that works…

Also: any other suggestions on “form mail” would be helpful…

Kinda an important feature of any website don’t ya think?


#12

Use NMS formmail. This is the script the DH formmail is based upopn. It is well tested, reasonably secure, and very configurable.

Just install your own copy and use that. :wink:

–rlparker


#13

Hey Jamman. I have the exact same problem! I had a webmaster come in a couple of years ago and never had a problem until this morning!!

Now I get this message: "… Add ‘www.995cards.com’ to your @referers array. My webmaster is long gone so I’m stuck :frowning:

I’ve been searching all day on the web to find the answer but no luck. I read on here:
How to fix it: edit formmail.cgi, look for the variable @referers, and add your domain into that variable. Should look something like:
@referers = (‘mydomain.com’, ‘anotherdomain.com’);

but when I goto HTML mode in FrontPage, I can’t find any @referers, so how can I add it???

So how do I add it to the array?? Is this something a non-webmaster can do??? If so, where in the HTML page do I type in: @referers = (‘mydomain.com’, ‘anotherdomain.com’)??

Since this is happening, we are not getting any orders through our website. Any advice will be appreciated. Thanks!!


#14

The above posts are from a bit over a year ago, so unless your form hasn’t been working for that long… The problem is most likely related to the fact that there seems to be an issue with the form mail script today. A few other people have posted with similar issues today. Put a ticket into support and they should update you when everything is working again.

–Matttail
art.googlies.net - personal website


#15

Hey matt. It’s been working for the last 2 years and then suddently this morning it gives us that weird message! I’m going to contact support about this. Hopefully it will be fix soon cause our website is our only source of income!! thanks for your reply


#16

I am experiencing the same problem. Very annoying, as it is not indicated as a system wide problem on the Emergency Status page.

Will post to support and see what they say. Was hoping to add and test some new forms today, but I guess that won’t happen.

Seems the whole formmail.dreamhost.com server is non-responsive?!?!


#17

Where do you install NMS formmail on a Dreamhost account?

What would the relevant path be that would be used in the HTML Form when calling the script?

What paths for dreamhost need to be modified IN the script so that the paths to perl are correct when the script is run?

Thanks!


#18

hey Jem
did you add @referers = (‘mydomain.com’, ‘anotherdomain.com’) and then you got the same message i did??
I searched on the internet and everybody is saying to do this but nobody is saying how to do this or where to type it into the html. very fustrating!!!


#19

As DreamHost runs CGI scripts as your user (via suexec) you can place the script in any directory you want - just set it, and the directory it is in, to 755 permissions.

that depends on where you put the script! :wink: .

For example:
if you put the script in home/youruser/youdomainname.tld/scripts then the path to call the script would be :
home/youruser/youdomainname.tld/scripts/nameofscript.pl (or cgi, etc.)

the url of the script is likely to be “http://yourdomainname.tld/scripts/nameofscript.pl

I have not looked at the script in a while, but probably only the shebang line (first line of the script). The path to perl on Dreamhost is:

/usr/bin/perl

–rlparker


#20

Jessica,

I suspect the @referers variable one would need to set is on a script file that neither you nor I have access to.

That variable exists in the NMS formmail solution, too.

It seems to me the whole formmail.dreamhost.com domain is DOWN. Since that domain appears to host the shared formmail script on DH I’m betting that is a big part of the problem.

That domain is in part, or totally FUBAR’ed right now. Not sure if there errors we are getting (when we get them) are part of the problem, or just a symptom of some larger problem at DreamHost.

I’ve put a ticket in with Support, but if this is a problem across the board for almost ALL DH customers I’d think they’d put an announcement on the DreamHost Status page!?!?!

Good luck.