Quoth Kevin Martin >Quoth John.Brooking >> I just received an email sent from my contact form at  which consisted of >> the following: >> >From: blasterattacko at aol.comTo:blasterattacko"@aol.com, >> > "From:blasterattacko"@aol.com > >etc. > >> [...] Not that too I'm worried about this specific >> attack, but I'm just wondering if it's an indication of some kind of >> security hole in my contact form script. Or, more optimistically, an >> indication that there was some attack which didn't work? > >The latter, most likely. The guy is looking for a cgiemail binary >specifically (or possibly a formmail.cgi) that doesn't completely >strip ALL header fields. This was published as a vulnerability of >cgiemail, but when cgiemail is configured right the exploit fails. > >Details at http://handsonhowto.com/cgi103.html Thanks for that URL, Kevin! I read it and realized that my script also passed along unfiltered header fields, as I had not heard of that particular exploit. Although it looks like this attempt didn't work (and I have not seen any more attempts), I still have gone back and modified my script to filter those fields, allowing only alphanumerics, a space, and most but not all punctuation. Notably, no CR/LF's or other control characters, no pipes, and no redirections (< and >). Just to confirm: It doesn't matter what characters are in the *body*? (I send the message as mime type "text/plain"; I realize HTML would introduce more potential problems.) Also, I'm using the Perl module MIME::Lite  to send the mail, rather than just calling sendmail directly, but I'm assuming the same caveats still apply. If you're wondering why I don't just use cgiemail, my script has additional functionality that I like. It is specifically written as a mailto: tag replacement. It accepts a "to" field which is not an email address, but actually a key to an address book on the server (defined either in-line or in an external text file), so the target email addresses never appear on the client. You can set up your form to allow users to choose from a group of people to send the message to, without revealing their addresses. It can also function like formmail or cgiemail, passing along the values of any other form fields it finds (in the message body). If anyone is using my script , which I first posted earlier this month, please download and install the new version immediately! (Recommended method for this is to make a copy of your "customization" section, then overwrite the complete script and paste your customization section back into the new version.) Thanks again, Kevin! - John  MIME::Lite Perl module: http://www.zeegee.com/code/perl/MIME-Lite/ <http://www.zeegee.com/code/perl/MIME-Lite/>  My script: http://www.pobox.com/~JohnBrook/codelib/ <http://www.pobox.com/~JohnBrook/codelib/> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like.