[thelist] Re: [thelinst] Formail exploits...

John C Bullas jcbullas at nildram.co.uk
Tue Feb 3 15:00:07 CST 2004

At 20:44 03/02/2004, you wrote
> > Colleagues
> >
> > As neither a user of cgi-bins (I rename them) nor formmail (I use 
> BFormMail)
> > these don't worry me.. should they if I had got formmail in a cgi-bin?
> >
> > what could this (virus driven?) exploit do?
>More likely a spammer wannabe scanning for formmail or cgiemail,
>which he would then use to send himself mail; if that was delivered
>he would open the spam floodgates. I let one through once and the
>little b-gger kept hammering me for three weeks, even though I never
>let another bit of his stuff through.
>They're also crafty as all get out, so even if BFormMail has a
>good track record, be careful that it does not trust ANY user
>input in ANY mail header.

Bformmail is reasonably secure AFAIK as you specify the IP that can call 
the script and explicity
define the destination email addresses (the old formail address spoofing 
flaw was removed)


not totally hack proof but pretty good?


More information about the thelist mailing list