FormMail Can Send Spam, but You Can Prevent That

If you have a Web server, chances are you have Matt Wright's FormMail, too. This Perl script sits in the /cgi-bin directory and is an email gateway. Usually, FormMail is used together with HTML forms. When a user selects the Submit button of a form, FormMail sends the data from the form to a specified email address. For example, the comment put into a feedback form is sent to the webmaster's mailbox with FormMail.

FormMail's Security Problems

FormMail is a simple and not very secure script. Since it is used to send mail, it can also be exploited to send spam. A number of attempts at this have been made, and they have resulted in several attempts to make FormMail more secure.

A limited amount of security has been implemented by making FormMail to check the HTTP_REFERRER field. This means the script will accept requests to send mail only from certain domains that can be specified. This check can be circumvented in a relatively easy way, however, by faking exactly that referrer field.

At the core of the problem lies the fact that FormMail uses a HTTP variable to specify the email addresses that mail is sent to. Spammers can thus easily use FormMail to distribute their messages. They can even do that in an anonymous way since their IP address will not show up in the email messages. It will, of course, be written down in the exploited Web server's log. It is still possible to track down the spammer, but the process becomes more complicated.

Fixing FormMail's Security

If FormMail does not take the recipient's address from a HTTP variable any more, the spamming can be stopped. The best way to make FormMail more secure seems to be to hard-code the recipient's email address in the script (and probably use more than one script if needed). Alternatively,FormMail could still use the HTTP variable to get the recipient's address, but then check that address against a specified list of allowed recipients.