REQ: Secure form mail that works with ANY domain...

[MIDIman]

Curious - I'm currently using Matt's FormMail Script for a form that sends out an e-mail to a given recipient with the user's e-mail and name. i.e. user inputs their name, their e-mail address, and the recipient's e-mail address, and clicks e-mail. The problem however, is that I can't require the domain to be any specific domains, because the recipient needs to be from just about any domain. However, from what I understand, Matt's formmail is so overly used that in order to keep it secure, you have to limit its recipient's to be only specific domains.

What would be an alternative to this, but still keeping security? Could I just rename the script and open up the recipient's to ANY, or is that still a security risk to those using this script for spam, massmailing, etc.?

 

[Mitzi]

NMS Formmail is a total re-write of Matts script, even Matt himself suggests you use the NMS version as it increases security.

Quoting Matt:

I would highly recommend downloading the nms versions if you wish to learn CGI programming. The code you find at Matt's Script Archive is not representative of how even I would code these days.

As to your question I would've thought that allowing mail from any domain to any recipient is a disaster waiting to happen.

 

[DaveSimmons]

> As to your question I would've thought that allowing mail from any domain to any recipient is a disaster waiting to happen.

Exactly, you're just asking for spammers to use your form as an open relay. Once you've been a spammer-by-proxy a time or two expect your IP to end up on some email blacklists.

 

[MIDIman]

thx all

 

[MIDIman]

Thanks again for the link...BUT

How then do big website companies have send to scripts? I.E. - you'll see sites all the time where you find a webpage and they include a "send this to a friend" link, where you put the e-mail address of the sender and e-mail address of the recipient...these scripts HAVE to allow for any domain. How do they do it securely?

The NMS script still requires a list of recipients...I need this script to allow for ANY domain.

Originally posted by: DaveSimmons
> As to your question I would've thought that allowing mail from any domain to any recipient is a disaster waiting to happen.

Exactly, you're just asking for spammers to use your form as an open relay. Once you've been a spammer-by-proxy a time or two expect your IP to end up on some email blacklists.

 

[DaveSimmons]

Example link?

Right-click on that page to view source and see if it's just doing a "Mailto:" to trigger the user's own email program to send the message.

If using script / sendmail not a mailto: link , the cgi script is either only semi-secure (hackable) or set to only accept the from/to email addresses and generates the email message body through script code, something like
- look at referer header field, if it's a location on this website then
- generate a message body using the referer header field to build the visit-this-page link

A spammer could hack a script like that but it would be useless to them (except to harm your reputation) since they can only spam people with links to your site.

 

[MIDIman]

Looking at a few sites - some appear to use UltimateTAF (tell-a-friend), a php script that could be used as a simple e-mailer I suppose. It appears to be php with sql. Anyone have any extra informormation about it? For example, its used on ninjai.com.

TAF website

Documentation

...then again, its $250! I really shouldn't have to spend any money on this...

 

[MIDIman]

up

 

[notfred]

This is really easy:

#!/usr/bin/perl

use strict;
use CGI qwstandard);
use CGI::Carp qw(fatalsToBrowser);
print header;

my $to = param("to");
my $from = param("from");
my $subject = param("subject");
my $message = param("message");

if($to && $from && $subject && $message){
&send_email($to, $from, $subject, $message);
print "Thanks, your message has been sent!";
}
else{
print "You need to fill out the whole form";
}

sub send_email{
my ($to, $from, $subject, $message) = @_;
use Net::SMTP;

my $smtp = Net::SMTP->new('localhost');
$smtp->mail("$from");
$smtp->to("$to");
$smtp->data();

$smtp->datasend("To: $to\n");
$smtp->datasend("From: $from\n");
$smtp->datasend("Subject: $subject\n");
$smtp->datasend("\n");

$smtp->datasend("$message");
$smtp->dataend();
$smtp->quit;
}


Edit: I guess I should say how to use it:

Create an HTML page with a form on it. That form should have the file containing the above script set as it's action. The form should have fields named "to", "from", "subject", and "message".

 

[DaveSimmons]

^^ the problem with code like this is the script can be called directly from an external spamserver with

my $to = param("to") = some victim
my $from = param("from") = this website
my $subject = param("subject") = "viagra is teh niftyness!"
my $message = param("message") = "Please visit www.SpamIsOK.com for your herbal viagra! or call 1-555-555-SPAM!"

it's easy to figure out the right parameters to have spam relayed just by doing a view source on the HTML page that calls your script. That's the problem with the old formail script.

 

[notfred]

Originally posted by: DaveSimmons
^^ the problem with code like this is the script can be called directly from an external spamserver with

my $to = param("to") = some victim
my $from = param("from") = this website
my $subject = param("subject") = "viagra is teh niftyness!"
my $message = param("message") = "Please visit www.SpamIsOK.com for your herbal viagra! or call 1-555-555-SPAM!"

it's easy to figure out the right parameters to have spam relayed just by doing a view source on the HTML page that calls your script. That's the problem with the old formail script.

Yes, that's true, which is why MIDIman is having such a hard time finding a script that will do it. There's not really a way to prevent someone from using it like that.

 

[MIDIman]

Yes, that's true, which is why MIDIman is having such a hard time finding a script that will do it. There's not really a way to prevent someone from using it like that.

That's what I need to hear - are you saying its simply not possible?

 

[Mitzi]

Originally posted by: MIDIman

Yes, that's true, which is why MIDIman is having such a hard time finding a script that will do it. There's not really a way to prevent someone from using it like that.

That's what I need to hear - are you saying its simply not possible?

I wouldn't say its not possible. I'd say that without extremely careful consideration and lots of technical expertise you could/would turn your web server into an open relay which given time, spammers would compromise.