Bugtraq: Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email

[Steve Reid <sreid () SEA-TO-SKY NET>]

On Sat, Mar 10, 2001 at 05:43:43PM +0000, Michael Rawls wrote:
>    I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously.  I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.
There are several different versions of formmail.pl floating around.
I've seen one that did absolutely no checking at all, and one that
would not send mail to any host not listed in /etc/hosts, and a couple
of others with peculiarities I can't recall.

Formmail.pl is a very short and simple script, which makes it easy to
understand and therefor easy to modify. I wouldn't guess at how many
variants are out there.

Given the existence of these variants, I believe the perils of
formmail.pl have been known about for a long time. The original
probably had no spam protection at all, and everyone who discovered
that fact created their own variant. A bugtraq database search brings
up several hits going back as far as 1995, although none of them appear
to be of the type you have reported.