Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: fmail2.htm can be used by spammers to send fakemail




    Michael  Rawls  found  following.   He  did  a little playing with after a run in  with a spammer abusing our  webserver.
    Apparently ALL cgi-bin  scripts can  be used  to spam
    anonymously.  He found  another server with  and tried
    the same exploit to send myself an email and it worked.

    The email  will not  show the  spammer's real  IP.   Only the  web
    servers IP will show.  The  web server logs will however show  the
    true IP address of the spammer.

    Actual example of email sent:

        Return-Path: <>
        Received: from ( [])
	        by (8.9.3/8.9.3) with ESMTP id RAA14431
	        for <>; Sat, 10 Mar 2001 17:19:34 -0700
        Received: from apache by with local (Exim 3.02 #8)
	        id 14bta3-0004tP-00
	        for; Sun, 11 Mar 2001 01:19:27 +0100
        From: ()
        Subject: WWW Form Submission
        Message-Id: <>
        Date: Sun, 11 Mar 2001 01:19:27 +0100
        X-UIDL: TPj"!bg3"!i:T!!=FU"!

        Below is the result of your feedback form.  It was submitted by
        () on Sunday, March 11, 2001 at 01:19:27

        message: Proof that can be used to send anonymous spam.


    Paste the line below  in to your web  browser URL box as  one long
    single  line,   insert  your   email  in   address  in   place  of
    "", and press enter.   Now go check  your

    The address "" can  be replaced with the  address of
    ANY webserver set up to use


    There's a few ways  to get around this.   Firewall the IP  address
    of  the  spammer.   The  best(?)  way  is  (if/where  possible) to
    hard-code the recipient address into the installation.

    Patching FormMail to check the referrer is NOT ample security.  It
    takes  about  30  seconds  to  write  a  Perl  script  to  POST to with a faked  HTTP_REFERRER field.  Probably  the only
    useful solution is  to hack the  script to use  an array of  valid
    email addresses to send to, rather than an array of valid  domains
    to send from.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH