Unix Security: The FormMail Hack
by Glenn Graham - inTEXT Communications - Monday, 9 June 2003.
Once your host has "scanned positive", you are then added to a database for later reference. In most cases the Spam process [itself] runs in stealth mode, this is to say two databases are used simultaneously and in random order: First the database containing the hostnames is processed at random, along with the addresses in the email database. This helps spread traffic over thousands of hosts at a time while ignoring a small percentage that may block the spam.

My First Ideas for a Temporary Fix

During the attack, our server was handling approx 2000 Spam-Mail per minute; time was of the essence in stopping the attack.

1: After determining the primary source(s), I dropped the IP blocks using the route command. Next I was faced with the problem of determining how my users would access their Web forms while keeping the spammers away. With little time to spare, I immediately loaded another web server that listened on another port rather than 80. I then changed each users form to match the temporary server and port number. This quickly segregated the web server from relaying. In addition I renamed FormMail.pl just to confuse any automated scanners.

See the code here.

2: After reading the security groups and consulting with other admins, one bright fellow came up with a simple fix that altered the check_referrer integer, preventing long line input. Although brilliant, not an end all solution.

See the code here.

Updates and New Releases

Since news of the FormMail hack, Matt has published several new releases. According to recent information published on his site, FormMail.pl has undergone yet another upgrade that fixes several more holes. It is my opinion that FormMail.pl has a way to go before being considered secure.

An excellent alternative to Matt's script is a rewrite in PHP. Now available at Jacks Scripts, the improved FormMail.php is robust, secure, easy to install and runs under PHP. Configuration is similar to FormMail.pl.

Heads Up!

Knowing this hack exists, it's time to upgrade now.

About the author

Glenn Graham has been working with telecommunications since 1977. In 1994 he established inTEXT Communications, a Unix consulting company specializing in system administration, security, and network architecture. Home away from home is deep in the confines of his underground vault where he keeps a careful watch on an array of routers, switches and other strange peripherals. His deep glowing tan can be attributed to monitor radiation, not sunlight. You can usually find him wide-awake at networkinformation.com.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th