E-Mail Problems - MAIL_MESSAGE

Hi All,

I have the below script hosted on a website which i run. The problem is
that someone seems to be using it to send SPAM out vie the HTML form i use
for people to input thier details. I have hardcoded the recipient into the
CGI script so does anyone know how they can manage to use this script to
send out mail as SPAM and what i should change to stop it? It is causing us
realy problems. I have removed the script until we can find a fix as we
are receiving hundereds of delivery failures to random addresses a day.

Any help at all would be appreciated.

Regards

Jamie

----------------------Code -------------------------------------------------------

#use lib "/home/username/local/lib/site_perl/5.6.0/i686-linux/";
#use lib "/home/username/local/lib/site_perl/5.6.0/";

use CGI -debug;
use CGI::Carp fatalsToBrowser;

$rgt = new CGI;

$recipient = "jamie\@jamieallison.co.uk";
$subject = $rgt->param("subject");
$redirect = $rgt->param("redirect");
$senderName = $rgt->param("senderName");
$sender = $rgt->param("sender");
$body = $rgt->param("body");
$sendmail = '/usr/lib/sendmail';

email($subject,$recipient,$sender ,$sender ,$body, $senderName);

print "Status: 302 Moved\nLocation: $redirect\n\n";

sub email ($$$$$$)
{
my ($subject, $to, $from, $etitle, $body, $senderName) = @_;

open (MAIL, "| $sendmail -i -t" );
print MAIL < Subject:$subject
To:$to
Reply-to:$from
From:$etitle

$senderName sent the below message:-

$body
MAIL_MESSAGE
close MAIL;
}
return 1;

--------------------------------end
code----------------------------------------

Re: E-Mail Problems - MAIL_MESSAGE

"Jamie Allison" wrote in
news:5HDWf.46012$zr.12810@newsfe7-gui.ntli.net:

> I have the below script hosted on a website which i run. The problem
> is that someone seems to be using it to send SPAM out vie the HTML
> form i use for people to input thier details. I have hardcoded the
> recipient into the CGI script so does anyone know how they can manage
> to use this script to send out mail as SPAM

Quite trivially, by embedding Cc: or Bcc: header in the sender CGI
parameter. And, no, they don't have to use the online form to submit to
your CGI script.

> and what i should change to stop it?

You have no checks on the input provided. Make sure that the sender
field contains only a single email address and nothing else.

> #use lib "/home/username/local/lib/site_perl/5.6.0/i686-linux/";
> #use lib "/home/username/local/lib/site_perl/5.6.0/";
>
> use CGI -debug;
> use CGI::Carp fatalsToBrowser;

use strict;
use warnings;

missing.

> $rgt = new CGI;

You probably want:

$CGI::POST_MAX = 16384;
$CGI::DISABLE_UPLOADS = 1;

as well.

> $recipient = "jamie\@jamieallison.co.uk";

my $recipient = 'jamie@jamieallison.co.uk';

> $subject = $rgt->param("subject");
> $redirect = $rgt->param("redirect");
> $senderName = $rgt->param("senderName");
> $sender = $rgt->param("sender");
> $body = $rgt->param("body");
> $sendmail = '/usr/lib/sendmail';
>
> email($subject,$recipient,$sender ,$sender ,$body, $senderName);
>
> print "Status: 302 Moved\nLocation: $redirect\n\n";
>
> sub email ($$$$$$)

Why the prototype?

> {
> my ($subject, $to, $from, $etitle, $body, $senderName) = @_;
>
> open (MAIL, "| $sendmail -i -t" );
> print MAIL < > Subject:$subject
> To:$to

$to is undefined

> Reply-to:$from
> From:$etitle

$etitle is undefined

Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(remove .invalid and reverse each component for email address)

comp.lang.perl.misc guidelines on the WWW:
http://augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

Re: E-Mail Problems - MAIL_MESSAGE

Jamie Allison wrote:
> I have the below script hosted on a website which i run. The problem is
> that someone seems to be using it to send SPAM out vie the HTML form i use
> for people to input thier details. I have hardcoded the recipient into the
> CGI script so does anyone know how they can manage to use this script to
> send out mail as SPAM

Consider, for instance, what happens if somebody submits from a form
that includes:

Some subject<br /> Cc: victim1@example.com, victim2@example.com

> and what i should change to stop it?

Don't use the script. It's crap.

You may want to consider the CPAN module CGI::ContactForm instead:
http://www.gunnar.cc/contactform/readme.html

> It is causing us realy problems. I have removed the script until we can find a fix as we
> are receiving hundereds of delivery failures to random addresses a day.

Unfortunately this might have caused your mail server to be blacklisted...

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl