Security Advisory: Formmail CGI Advisory
Audience: Unix hosting
In recent months it has come to our attention that many of our UNIX customers are using, or have in their directory structure, the file formmail.cgi, formmail.pl, formmail, etc. (In this article these will be referred to simply as 'formmail', and is not to be confused for 'mailform', a script that we offer via the netConsole which will be explained a little later.) This script's intended function is to give webmasters the ability to generate e-mail messages from form input on their webpages. While this functionality is very useful on a website, the formmail script has a very particular security hazard that clients should be made aware of.
If formmail is present in your webshare or cgi-bin directory, it can be called via http (either by a web browser or via telnet to port 80) by any user out on the internet. One can pass certain parameters to the script during this request, and can easily turn this script into a conduit for sending out spam mail in large bulk simply by specifying any recipient address of their choosing from within the request. While being able to send out 1 message per request may be a tedious task by hand, it appears that people have devised scripts to automate this task. These scripts scan IP blocks looking for sites that have one of the variations of formmail, and once a copy of formmail is located, it sends out messages in massive bulk to unsusptecting recipients, and can do so virtually undetected since the requests are made from anonymous http requests.
How does this affect you as a client? There are several effects:
- Many clients have reported receiving bouncebacks flooding their mail boxes on our servers--bouncebacks for messages which they did not originally send, and are obviously spam mail. This makes downloading mail slow and cumbersome for the client who has to sift through the unnecessary bouncebacks in order to find their legitimate messages.
- When the formmail script is being exploited via a remote script, the web server is pounded by requests causing the server to slow down, decreasing the overall performance of clients' websites and e-mail.
- When the formmail script is being exploited via a remote script, this injects a large bulk of messages into the e-mail server queue all at one time, causing message delivery for in-coming and out-going mail to slow down in general, affecting you and all other clients who are hosted off the same server. This situation is further complicated when messages sent out from the formmail script bounce back, in effect, doubling the amount of messages handled by the queue. This, again, puts additional load on the server, slowing all delivery on the mail server.
- Many networks subscribe to e-mail black-listing services such as MAPS, ORBS, and Spam-Cop. Because the messages sent out from the formmail script appear as if they are coming from the client's domain name (which could easily be yours if you have the formmail script anywhere on your website), the client's domain name may be submitted to such a black-listing service. Networks that subscribe to these black lists will not accept e-mail from domains in those black lists. These black lists can also be extended to block entire IP blocks. This means e-mail, even legitimate messages, that are sent from black-listed domains or networks will be blocked. We recently ran into this situation with AOL where part of our network was being blocked off from sending mail to AOL addresses because of a flood of messages originating from a formmail script residing on one of our clients' websites. The issue was quickly resolved and our network was removed from the black listing. However, while it was in effect, many of our clients could not send messages to AOL addresses--even legitimate messages.
What can clients do to prevent these ill-effects? This can be done in two steps:
- Be sure that you do not have formmail.cgi, formmail.pl, formmail, or any other variation on formmail present in your directory structure, especially in your cgi-bin. Even if you do not use the script in any of your website's pages, its mere presence leaves it open to use and exploitation.
- If you require the functionality that formmail offers where you do have forms on your website that you would like to send e-mail out from a webpage, you can achieve the same functions by using the mailform script that is available for install via the netConsole. Once you have installed the mailform script from the netConsole, you will need to update your html code on your forms to use mailform instead of formmail. The documentation for our mailform script is located on the Support area of our website:
- Our mailform script is a secure script that will only send messages to an address @ your domain name. If you do require the recipient address be an address that is outside of your domainname, simply create an e-mail alias in your netConsole where the mailform messages can be sent to, and set the destination address of the e-mail alias to be the address where you wish to eventually receive the mailform messages.
With your assistance in removing the presence of formmail from your sites, we can prevent many of the problems associated with spam on our network.
If you have any questions about this issue please feel free to contact the Internet Connection Support Desk: