[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] CGI email
- Subject: Re: [cobalt-users] CGI email
- From: Keith Davis <cache@xxxxxxxxxx>
- Date: Tue May 8 15:31:58 2001
- Organization: Digital Odyssey Web Development
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Chris Mason wrote:
> The present version of formmail doesn't provide an open relay. You >have to specify the hosts you are allowing relay for.
then shimi wrote:
>the bug was that if the referrer parm comes empty (easy thing to do) -
>it'll let the mail go
That's NOT the problem with formmail! True, an empty referrer goes
through but you can solve that by changing the 1 to a 0 on line 65. BUT
that is NOT what makes formmail vulnerable. A spammer using
LWP::UserAgent can send a fake referrer to formmail, including one that
is in the list of approved hosts. That allows the spammer to send his
own list of recipient addresses because his request appears to come from
an approved host.
If I was a professional spammer you know what I would do? I'd create an
emailer script that checks for referrers and claims it is spammer proof
because I've closed that "no referrer" problem you've referred to.
Those who don't know that THAT is not the problem would be fooled into
installing an easily hacked script for me. Oh yeah, and then I'd be sure
to offer my free script from a domain in a country where I could not be
prosecuted, such as to, ru, tj, or whatever.
Check any emailer script you're using, if it is checking for
$ENV{'HTTP_REFERER'}, you probably got it from a spammer who's using
your machine. This is not something new, LWP::UserAgent has been around
for years, it's on your machine, it's part of the Perl standard Lib
distribution.
> so unless you hard-code the *recipient* address IN THE SCRIPT (in the
> version I saw, again!) - the script is indeed open-relay.
Correct. Hard coding the recipients into formmail takes only a few
minutes:
On line 33 of the worldwidemart.com distribution create an array holding
the approved email recipient addresses like so:
@recipients = qw(abc@xxxxxxx xyz@xxxxxxx someone@xxxxxxxxxxxxx);
(note the single spaces separating the addresses)
Then on line 51 add the test:
unless("@recipients" =~ /$Config{'recipient'}/){&error('bad_recipient')}
Then go to line 565 and line 196 and change:
'no_recipient'
to read
'bad_recipient'
Then edit the html between lines 571 and 582 to reflect that an
unapproved recipient address was submitted.
That's it, formmail is spamproof.
keith