[Nms-cgi-devel] Suggested FormMail spam fix (Was: Checking for Open Proxies?)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, I just want to share a fix I made to the original Matt-made FormMail
after a spam attack.

I recoded the script to contain a list of aliases and real addresses I
allow sending to:

%nickname = (
           'JoanM'=>'Joa...@do...' ,
           'purchasing'=>'Ja...@do...'
                     ) ;

And added some code to convert aliases back when a form is submitted:

	## nickname security fix - AP
	my @to_split = split(/:/,$Config{'recipient'}) ;
	foreach (@to_split) {
		## collect addresses by nickname
		push (@to_collected,$nickname{$_}) if ($nickname{$_}) ;
	}

	$Config{'recipient'} =  join(',',@to_collected) ;

I used colon as the separator, but comma would also work. The secutiry
comes from the fact that no spammer submitted address will ever match
an alias. I aslo ended up renaming FormMail to NickMail as spammers
look for that in the HTML on sites to try and find vulnerable servers.

What also helpsis that when you run a site where five forms point at
'purchasing' and a new staffer takes over you just edit one alias
definition.

I run a one purpose web server, but it would be possible to extend this
to use an alias list in a user's home directory for ISPs providing
hosting and a standard collection of scripts.

I can't speak to a similar fix for the web board.

Hope that's helpful to someone,
Alex

Jonathan Stowe <jn...@ge...> wrote: 
> 
> We've been seeing quite a number of reports on the support list of
> people seeing high volumes of attempted spam exploits against FormMail
> recently and from some of the reports it appears that the spammers may
> be using open proxies.  Now it occurs to me that it would be relatively
> simple to implement a check on the http client via one of the DNSBLs
> that list open proxies such as xml.spamhaus.org
> (http://www.spamhaus.org/xbl/index.lasso) an example of Perl code that
> does this kind of check can be seen at:
> 
>    http://www.unicom.com/sw/blq/
> 
> as you can see all of this can be achieved using core modules.
> 
> We could add this as an optional safeguard to all of the programs that
> are prone to being targetted by spammers and the like, I would see it as
> probably refusing to accept the request without giving a reason (or
> would it be better to pretend to accept the request and just take no
> further action?)
> 
> Anyway does anyone have any feelings about this? Are there any drawbacks
> to implementing a check like this?
> 
> /J\
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Nms-cgi-devel mailing list
> Nms...@li...
> https://lists.sourceforge.net/lists/listinfo/nms-cgi-devel
> 