Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: fmail2~1.htm - spam anonymously




    Michael  Rawls  found  following.   He  did  a little playing with after a run in  with a spammer abusing our  webserver.
    Apparently ALL cgi-bin  scripts can  be used  to spam
    anonymously.  He found  another server with  and tried
    the same exploit to send myself an email and it worked.

    The email  will not  show the  spammer's real  IP.   Only the  web
    servers IP will show.  The  web server logs will however show  the
    true IP address of the spammer.

    Actual example of email sent:

        Return-Path: <>
        Received: from ( [])
	        by (8.9.3/8.9.3) with ESMTP id RAA14431
	        for <>; Sat, 10 Mar 2001 17:19:34 -0700
        Received: from apache by with local (Exim 3.02 #8)
	        id 14bta3-0004tP-00
	        for; Sun, 11 Mar 2001 01:19:27 +0100
        From: ()
        Subject: WWW Form Submission
        Message-Id: <>
        Date: Sun, 11 Mar 2001 01:19:27 +0100
        X-UIDL: TPj"!bg3"!i:T!!=FU"!

        Below is the result of your feedback form.  It was submitted by
        () on Sunday, March 11, 2001 at 01:19:27

        message: Proof that can be used to send anonymous spam.


    Paste the line below  in to your web  browser URL box as  one long
    single  line,   insert  your   email  in   address  in   place  of
    "", and press enter.   Now go check  your

    The address "" can  be replaced with the  address of
    ANY webserver set up to use


    Patched version of the Matt Wright's is now available.
    Parameshwar  Babu  has  released  a  patched  version of formmmail
    script that contains  a fix to  this security hole  in the script.
    The modified script  allows you to  specify the list  of recipient
    email addresses in a  text  file. Thus  the script can be  used to
    restrict emails  so that  they would  be sent  only to  authorized
    addresses.  A patched version of the script can be downloaded from

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH