From: Derrick 'dman' Hudson (dmandman13.dyndns.org)
Date: Sat Jun 28 2003 - 09:36:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 28, 2003 at 03:01:41PM +0200, Joris Benschop wrote:
| Hi List
|
| Can anyone point me to some help about how to tweak the infamous formmail
| script so that I don't become an open relay?

I don't know of any such tweaks being effective, apart from a complete
redesign. The security holes stem from a serious design flaw --
trusting data from the client. The script's design trusts the HTTP
client to provide correct data regarding what to send to who. Some
spammers discovered that, and so they decided to specify the recipient
as they desired, not as the web developer who deployed the script
desired. The only solution is to not accept that data from the HTTP
client. I am not currently aware of any such modifications to the
formmail.pl script. I have, however, heard of 'cgiemail' which
doesn't trust the client for data that shouldn't be coming from the
client.

HTH,
-D

--
I can do all things through Christ who strengthens me.
        Philippians 4:13
 
http://dman13.dyndns.org/~dman/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj79qAsACgkQiB6vp1xAVUAS/wCfbMG8t1u4YUdkT4krFUa6QR3F
Zc0An1wSA1IqxFX7yFBuQTrGlQt33fgW
=YZZI
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]