Formmail v1.9

**NexDog** · 04-21-2002, 08:58 PM

Well it looks like formmail 1.9 was not good enough after all. Another security upgrade has just been announced and everyone is required to upgrade to 1.92 immediately.

We were contacted by a client that was having his 1.9 used for spam and that alerted us to the issue. Sorry for the inconvienience but this is for everyone's benefit. Please get v1.92 here:

http://www.worldwidemart.com/scripts/formmail.shtml

An explanation on the vulnerabilities can be found here:

http://www.monkeys.com/anti-spam/formmail-advisory.pdf

We'll give you all a few days to complete this request. At the end of the week we'll patrol the server again and remove all 1.9s we find and email the owners. Thanks for your cooperation.

Nelix · 04-21-2002, 09:06 PM

Gee Nexdog u sure are on the ball

thanks for the heads up

pshows · 04-21-2002, 09:30 PM

Is formail.php v1.4b secure?
I got it here
http://lumbroso.com/scripts/formmail_doc.php

If it isnt I can get the new formail.cgi 1.92 and start using it instead.

Regards,
Paul S.

**NexDog** · 04-21-2002, 10:03 PM

Well the fact that it says the "referrers" array is optional is not a good sign. I would have to say Matt's scripts are better because updates are frequent and they have their process nailed down. Someone cracks it, they update it. It's a constant battle........

NWDude · 04-22-2002, 01:27 AM

I was looking at my logs from a customers host and noticed two different spiders crawling through my directories looking for the formmail script specifically by file name.

I was wondering if a simple solution or extra precaution might be to rename the formmail script to something like formsend.cgi?

I don't understand spider logic much, so I wanted some other opinions.

Is this a good idea? Will it work?

**NexDog** · 04-22-2002, 02:39 AM

This is an excellent idea. Don't even have "form" in the file name. It doesn't matter to the script's effectiveness.

This is exactly how they find you. Please post your finding in the Open Discussion forum too.

GreyDog · 04-22-2002, 09:02 PM

May I safely assume that if I havent uploaded any type of formmail, nor use it, then none of this pertains to me?

mobstory · 04-22-2002, 09:38 PM

Greydog-
You need not worry about the scripts, but you may suffer the consequences of others who don't fix it. One of my domains has been used to forge fake email addresses for spam. I found out because they were sending it to aol addresses and I got one in my "catch all" that was "undeliverable". I've had several come back now all from the same domain. I did put one of the buggers out of business *temporarily* who was using kwikmed. He'll lose all accrued commissions and his/her account.

Miracles can happen when you set up a legal@yourdomain.com email addy and cc it when you contact programs on behalf of their spammers!

Nelix · 04-22-2002, 10:47 PM

legal@mydomain.com - shall haveto add that, i can see how this would be more intimidating than admin@mydomain.com

thanks for the tip mobstory

mobstory · 04-22-2002, 11:06 PM

I came up with that when I was being eaten alive with hotlinkers. I even had, at one time, an autoresponder set up to list warnings and address issues in case someone actually sent something to it. It seems most effective if used as a cc rather than an email from it.

Glad to help! I hate spammers and the programs that allow it to continue

Debbie