pair Networks - World Class Web Hosting - pair Networks - Support Resources - System Notices

FormMail Changes

posted March 12, 2001
updated October 8, 2002

Latest News (Oct 8, 2002) - Spammers are now scanning for formmail scripts which can be used to relay e-mail, relying on broken mailer systems to accept the e-mail as local and send it out. If you have a formmail script hosted under EXAMPLE.COM, you may see e-mails coming to you addressed to "something%aol.com@EXAMPLE.COM". These are attempts to send e-mail to "something@aol.com" through your formmail. However, our mail delivery system simply delivers these through your local domain. There is nothing to worry about, as long as you have our updated formmail script.

Latest News (Aug 2, 2001) - After a recent spate of Spammers exploiting customer installations of formmail, we swept through customer sites to find vulnerable installations and update them with our new code. Due to an error on our part, customized scripts were inadvertently updated (although in every case a copy was saved). We apologize for customers who experienced disruption of service as a result, and we have no plans to make any further modifications except in any case where we find that a customer script is being actively exploited.
We would like to request that any customer using a customized version of formmail either work from the fixed copy on our systems at /usr/www/cgi-bin/formmail.pl, or rename the script so that it is not easily found by automated scanners. In any case where we find a customer script being actively exploited to send Spam or initiate any other unauthorized action from our servers, we will disable that script, or upgrade it if formmail is involved. This is necessary to protect our service and customers; however, we will no longer do this proactively.

Important Update (March 28, 2001) - Spammers are now using scanning programs to search Web sites for the FormMail script. Although our system copy is now protected, many of our customers have installed the script in their own site, usually at /cgi-bin/formmail.pl. There are numerous instances in which those scripts have been abused in the last week. Consequently, we are proactively examining customer sites for installations of the unprotected script, in order to notify customers, as well as to update the script in cases where abuse may already be taking place. We encourage all customers to update their sites to use our system copy of FormMail, or to convert to a more secure script such as cgiemail.

Among the System CGI scripts offered by pair Networks is the FormMail script from Matt's Script Archive. Accessible on every server and Virtual Domain we host, from as far back as early 1996, this script has in recent weeks become the target of abuse by Spammers, who can easily use the script to anonymously send e-mail, incriminating our service as well as our customers. The script as it exists offers no adequate protection for this; the referrer information, for example, is simple to forge.

Consequently, as announced on March 12, we have updated our FormMail script to prevent this type of abuse. The difference is that the new script will only accept destination e-mail addresses that are local to the server on which the script is run (including Virtual Domains hosted by that server), or addresses listed in an exception file hosted in each user's account.

There are two methods supported for using FormMail to deliver to an external address. You may select an unused address in a Virtual Domain, such as "external@example.com", and create a forwarding recipe to deliver that e-mail to the desired external address. You may also create an exception file in the home directory of your account, and list the valid e-mail address in that file. Details on the second method, which requires that you access FormMail through cgi-sys on a Virtual Domain, are available here.

This change took effect on March 19. On one server, enda.pair.com, we were forced to deploy the new script on March 16, to thwart active spamming attempts. We recommend that all customers examine their sites immediately for use of FormMail, which is referenced as FormMail.pl or formmail.pl, and either change the e-mail address used, or switch to a different system such as cgiemail, which does not allow the browser to supply the destination e-mail address.

Customers who have their own copies of FormMail installed will need to address this problem as well. It is already apparent that automated scripts are being used to search for vulnerable copies of FormMail on Web sites. If you are using a customized version of FormMail, one quick fix is to force the setting of the destination e-mail address within the script itself. After the call to "&parse_form" on or near line 44, add this line of code:

$CONFIG{'recipient'} = "address\@domain.com";

Note that the backslash before the at-sign is required. Some versions of FormMail may use $Config instead of $CONFIG; check your copy to see which is used.

This change is vital to ensure that our service and customers are not victimized by Spammers. We have been planning this change for several weeks, but have accelerated it as a result of increased public exposure of this problem recently, as well as an increasing number of incidents.