-----BEGIN PGP SIGNED MESSAGE----- On Mon, 10 Dec 2001, http-equiv@excite.com wrote: > Forget about open relays. There is an extremely simple mailto form > application called mailto.exe available on the internet. Simply create > your html form, upload the mailto.exe into your cgi bin and fire away. This is really just a somewhat new face on an old problem. A similar search for formmail.[pl|cgi] and similar web->mail gateway scripts will yield equal -- if not greater -- spam injection vectors. There's loads of those beasties out there, and they can be trivially tricked into serving as a spam-spewing machine; usually with no equivalent of the common X-Originating-IP header included. Bottom line: just because your server doesn't support the likes of mailto.exe on it doesn't mean your boxen aren't vulnerable to this sort of net.abuse. If one's httpd.conf has "AddHandler cgi-script" enabled, and allows ExecCGI on personal directories, one's web site can be readily exploited for such purposes. Heck, even the absence of the sendmail binary doesn't qualify as a stumbling block since PERL's Net::SMTP can be used in its place. All told, if one is going to run a web->mail gateway, it's a good idea to have pre-defined destination addresses defined within the CGI and well outside the HTML form. Relying on "hidden" fields and an expectation that everyone will play nice in the sandbox is just a recipe for spammer mischief these days. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPBWBDrlDRyqRQ2a9AQH31QQAgjb2KKKT2XZ85i5Sgg9W4dbna0TKZG9V kqrXzYfg8me8aV6tx9sUq2s0nKUD94+uuDO/vOuwnMUpl5ggiTKc76AF63waCXmf OTf8HXzAKTJUfGln5RjcxdkFKjo57Bpgz3RRWdKVAbOTphAV8VaydqIrtRWgdyz6 DfRM0Wslv2I= =Rn6S -----END PGP SIGNATURE-----
