Re: [Exim] Arrgh! Spammers

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Stephen Woodbridge
CC: exim list
Subject: Re: [Exim] Arrgh! Spammers
Actually, this isnt/wasnt a bug. I beleive it was written that way (some
time ago) to allow for older clients which didnt support the Referrer
concept. (Eg, Netscape 1.x... Old versions of Mosiac).. These are all
ancient now, so adjusting formmail to reject the absence of a referrer
is just fine.

However, referrer is something which you trust the client to specify
correctly. It would be a trivial thing for an ill-intentioned client
(eg, a spammer) to supply/forge a valid referrer, for instance, your
sites primary web site address. It just so happens that the current
'spam tool' out there does not do so. Once enough formmail sites close
that off, they (the spam tool authors) will presumably write a new one
that supplies a referrer.

The only _right_ way to do security on anything that sends email from a
web HTTP form POSTing, is to severely limit what addresses it can mail
*TO*, for instance, by making and mainting a list of authorized
recpients. When a customer wants to add a form to their site, they have
to have the desired recipient address added to your list..





On Tue, 1 Jan 2002, Stephen Woodbridge wrote:

> Sorry this is a little off subject, but your the mostly like group to
> care.
>
> I have been careful to set up Exim so I'm not an open relay, actually
> Exim made that very easy thanks!
>
> But tonight I was checking my httpd server logs and notice that some
> agents have been hitting /cgi-bin/formmail.pl and running spam through
> my system. I had set up formmail to only allow specified referrers to be
> able to send mail, but a bug in formmail will allow anyone WITHOUT a
> referrer to send mail!!!!
>
> It is fixed now, but if you have formmail running on your httpd you
> better close this hole!
>
> Mortified,
> -Steve
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>


--