HELP! Bad Referrer - Access Denied

I am a web designer that has been using the dreamhost form-mail [] for years with domains I host with dreamhost and customer hosted domains. As long as the recipient field was an email that was a dreamhost email, it worked fine. That is until yesterday! NOW ALL MY MAIL FORMS DON’T WORK–ARRGH [on customer hosted domains]! Specifically, dreamhost now looks to see if the domain where the form lives is hosted by them. I can’t believe they are doing this to me! Now I have dozens of simple mail forms that don’t work on all different domains [like the one at the bottom of these pages: ]

Any suggestions for simple mail form alternatives out there??

web design and graphic design

Actually, Dreamhost made that change several months ago. I guess that you are just now seeing it. There is a very good (IMHO) alternative at

I have used it (on Dreamhost), it has very good features, appears to be secure, etc. Highly Recommended!


create an email alias to forward to the email the forms are currently set up to forward to. then change the form to send to that alias.

Not allowing off-site forms to submit to formmail scripts is standard practice to prevent abuse. The Dreamhost mail script is provided as a convenience for web sites they host. If you need a form for a site hosted elsewhere, you’ll need to set up your own. The NMS-Formmail script mentioned above is a good bet if you need to use this type of script. Something you can hard-code the recipient address in (as opposed to passing it as a form parameter) is better (I don’t know if you can do this with NMS-Formmail or not).

This, of course, has nothing to do with the e-mail address the form is configured to send to.

If you want useful replies, ask smart questions.

i never said anything about allowing off-site forms to access formail scripts hosted on dreamhost. read my reply again.

all i said was that the person should set up a dreamhost alias for his dreamhost formail. since the dreamhost formail doesn’t forward mail to domains outside of dreamhost then he can have it forward mail to a dreamhost alias which will then forward to a non dreamhost email address

did you even read the original post? this entire thread has to do with the email address the form is configured to.

[quote]create an email alias to forward to the email the forms are currently set up to forward to. then change the form to send to that alias.
Which will, or course, work - it just seems somewhat wasteful of resources when a different script would avoid the need for the whole alias/forward step, and also does not address the original poster’s problem :wink:

While your suggested approach might be the “easiest” for some very inexperienced web builders, who have a different problem, I think the original poster can probably handle the process of installing a new script (especially since the NMS-formail is so easy to work with).


Thanks for all your interest. If I’m understanding your replies, you are focusing on the reciepient field email address. The email address I am using is a dreamhost hosted email. There is no alias nessesary. It is the form itself that is residing on a non-dreamhosted site [client hosted] and that is the change. Before it worked, yesterday it stopped with the following message:Bad Referrer - Access Denied

The form attempting to use this script resides at, which is not allowed to access this program.

If you are attempting to configure FormMail to run with this form, you need to add the following to @referers, explained in detail in the README file.

Add ‘’ to your @referers array.

FormMail © 2001-2003 London Perl Mongers

The page this simple form resides on is here:

Thanks for your help!!!

web design and graphic design

Oh the perils of inadvertantly replying to the wrong post in a thread, eh? :wink:

Actually, the NMS script I mentioned has a pretty cool “alias” feature for masking the recipient(s):

excerpt from readme:

%recipient_alias - A hash for predefining a list of recipients in the
script, and then choosing between them using the
recipient form field, while keeping all the email
addresses out of the HTML so that they don’t get
collected by address harvesters and sent junk email.

For example, suppose you have three forms on your
site, and you want each to submit to a different email
address and you want to keep the addresses hidden.
You might set up %recipient_alias like this:

%recipient_alias = (
‘1’ => ‘one@your.domain’,
‘2’ => ‘two@your.domain’,
‘3’ => ‘three@your.domain’,

In the HTML form that should submit to the recipient
’two@your.domain’, you would then set the recipient

The recipients in %recipient_alias are automatically added
to the allowed recipients list, so there’s no need to list
them all in @allow_mail_to as well.

—end excerpt —
I’ve used that functionality, and it seems to work very well.


[quote]i never said anything about allowing off-site forms to access formail scripts hosted on dreamhost. read my reply again.

did you even read the original post? this entire thread has to do with the email address the form is configured to.[/quote]
I know you didn’t, and that’s why I corrected you. It seems you’re the one who should be reading a little more carefully.

Let’s go over the original post again, shall we?

Here, the original poster says that he is using Dreamhost-hosted recipient addresses. He then goes on to talk about where the form itself appears:

And finally, he gives an example:

It takes all of about ten seconds to see this site is not hosted by Dreamhost:

[code]$ host has address

$ host domain name pointer
[/code]And another five seconds to see that the form is submitting data to the Dreamhost-provided formmail script, with a Dreamhost-hosted recipient address:


$ host has address

$ host domain name pointer
[/code]Hope this helps!

Edit: I see the original poster has now corrected this assumption as well.

If you want useful replies, ask smart questions.


Only one of the replying posters missed your point, and your problem. The script I suggested will allow you to define your referrers, which will fix your problem (the dreamhost version requires that the referrer be a Dreamhosted page - the script I suggested lets you decide!).

This is especially useful, as you can restrict the referrer to match the page the form is on (and, please do that, as opposed opening it wider than need be :wink: ) as well as other predefined referrers.

Sorry for the confusion, but please check out the script I mentioned and read the README - it will do what you need, and I think it will solve your problem (it has worked very well for me in situations similar to yours)

edited to provide additional info:
Actually, the dreamhost formmail.cgi is a “tweaked” (by Dreamhost, for their purposes) version of the script I mentioned (which is written by the same group). The “NMS” version is more powerful, but is similar enough in design and operation to the Dreamhost script that you should find it easy to use.


ok, newbie question: so you are saying I can install the script at on one of my dreamhost hosted domains [say in a directory called cgi-bin], configure it to include my customer’s domains as referrers and then point the on all my forms from non-dreamhost domains to it? Am I getting it?

BTW to kchrist who wrote “the original poster says that he is using Dreamhost-hosted” … the original poster is a she :slight_smile:

web design and graphic design

Well, almost correct! Your “” is not correct, but if you straightened that out to correctly point to the location of your script, you would be “absolutely correct”!

Using the example you provided, you want to point the form to “” (assuming you don’t rename the file). The script you are looking for is the first one on the referenced page - formmail. I most recently, just a few weeks ago, tested the “compat” version; finding it did all I needed I did not try the “modules” version (for me, simpler is often better!). In the script archive you will find an excellent README file with instructions, and an EXAMPLES file with several implementation examples.

By the way, on Dreamhost (since they use suexec) it does not even have to be in a “cgi-bin” directory - it can be anywhere as long as you have it set with “755” permissions.

You could even make a subdomain named, and have the formmail script be the only thing there if you wanted (extra hosted domains don’t cost anything extra at dreamhost!). In that case, you could point the forms to “” - just “point” the “action” to the file. :slight_smile:

Ha! I love how gender manages to creep into even forum discussions! :wink: So, is “miztery” a pseudonym for “Olga”, or an nom de guerre/plume for “Sophie”?


thanks rl! I added and will put the script there. I’ll let you know how all this ends…

…as for me, I’ll remain a miztery.

web design and graphic design

Your welcome, and I think you will like the result :slight_smile: .

BTW, Don’t forget to put a “dummy” index.html (or meta-refresh redirect to your “real” site, or some .htaccess re-write rules,or something) in the root web directory of along with the script so you don’t end up displaying a “raw” directory listing exposing your perl file to the world! Of course, we’d all like to hear how it all works out…

…and it’s cool to remain a miztery! :wink:


so just to get back to you, rl [better late than never?]. It works like a charm–thanks for your help. We set up our own formmail subdomain. I like that spammers can no longer use the page with the webform on it to pull email addresses. Your last tip was helpful, too. Of course it was just “raw”!

One additional thing I discovered on my own if someone has the same problem…if you add the domains to your webpanel as if you are hosting them with dreamhost [even if you are not], their old formmail will work. Not as good as rl’s fix, but way easier [more like a band aid!]

web design and graphic design