I *knew* I shouldn't check this on my day off, but I couldn't resist. My understanding of the danger of formmail.pl was that it posed an increased risk of spam to the people who used it--in other words, *we* might be more vulnerable to spam. And since we don't get all that much to begin with, I figured it was OK to let it hang for awhile until I had time to change over.

You know, I'm a freaking English major who is trying to figure this stuff out, and I hesitate with every ounce in me to ask questions because it effing hurts. You know? To be called a sociopath. Christ.

What is it with these forums? Why do people have to treat you like you're either trying to get them to give you the world, or you should understand already what you are trying to figure out?

I apologize for being ignorant, but that's just what I am. And no, I do not have all day every day to learn and think about Perl. I do my best. I'll try the "drop-in" replacement, but honestly, that doesn't seem to be the way this stuff works.

Maybe I'm wasting my time with Perl. Seems like the whole thing could be accomplished with php.

The danger is a bit different. It's not about spam being directed at you, but rather span originating from your machines. The script could be used by a spammer to instruct your mail server to send spam. You might not care so much about the processor time of your servers or the network usage, but you might easily find yourself unable to send email, because your server would get blocked as a source of spam. You might find your whole network blocked, though I believe your internet provider would contact you beforehand.

Your post seems to be a textbook example of the XY Problem. Instead of telling us what the problem is and getting an easy to follow advice you've spent hours (I assume) trying to implement a non-solution. You are making things harder for yourself.

Jenda
Enoch was right!
Enjoy the last years of Rome.

Merci, Jenda, for this explanation. Looks like I definitely need to create new forms, either with a different version of formmail or with php.

My problem is this: I need a way to prevent spam submissions of our forms that are processed by cgi scripts. We have other forms that are all in php, and those I have protected with honeypots (and yes, so far that is working).

It is my understanding (from my supervisor) that the forms using cgi are complex and therefore need the cgi--can't be done with php? I don't know. All I know is, I've been trying to implement a similar honeypot with cgi and I can't figure out how to do it. And yes, I've spent more than hours on this problem. And no, I'm not a troll.

I guess one thing I don't understand is why a complex form can't be processed with php. In particular, the cgi assigns an email address according to what value is chosen from a drop-down menu on the form.

Thanks again. Sorry I got a bit heated Saturday.

For perspective. Imagine someone walking into a gun club with a loaded homemade gun, finger on the trigger, pointing here and there asking about how to shoot better. FormMail.pl is an infamous zipgun and one of the main pillars upon which Perl-FUD was erected. It inspires nearly rabid responses. There’s no way you could know that. Hacker culture is grating and without caveats you’ll be treated as a hacker. Most of us earned our chops though thousands of hours of the pain you’ve just enjoyed. When someone asks us to donate that pain, sometimes it’s taken as an affront. :P Nobody wanted to be rude in fact though. Not you, not monks. Don’t take it personally.

Maybe I'm wasting my time with Perl. Seems like the whole thing could be accomplished with php.

It sure could. Or C or Java or Ruby or Python or JavaScript or Scala or… Jenda is right I think. We definitely will help you but maybe you should back-up to your original intent and describe what you’re trying to do.

Signed,
An English Major that got tired of being poor and unemployed :P

lol Your_Mother! Yes, I get that--tired of being, well, underemployed and poor if not unemployed and poor. :-)

I have tried to describe my problem in my response to Jenda. And thank you. I do try not to take it personally, but some days are better than others....

You have been told at least twice now where to get a drop-in replacement for the horrible, buggy, insecure, widely abused, irresponsibly built code you are using. You have been told a number of times that the code is in fact horrible, buggy, insecure, widely abused, and irresponsibly built.

Now, if there's a piece of horrible, buggy, insecure, widely abused, irresponsibly built code is deployed purposefully by someone who knows of a safer alternative which takes almost no work to deploy what would you call that?

Are you on General Motors' side that it was okay to keep selling cars with buggy, dangerous ignition switches? Of course not. Are you okay with the infant toys that made it to market covered in lead paint? Of course not. When things are dangerously unfit for purpose, you're on the same page as any other reasonable person, I'm sure.

I never called you a sociopath. I said that to keep deploying Matt Wright's FormMail knowing what you now know would be irresponsible and bordering on sociopathic behavior. The difference between a sociopath and someone who isn't is that the sociopath willingly engages in sociopathic behavior on a regular basis. Far different from calling you someone who does, I'm hoping you don't. I'm hoping you won't put this piece of crud on servers, waiting for it to spam anyone and everyone.

If you want to see what Matt Wright says about Matt's Script Archive vs. the NMS project, take a look at his own page about it. Note where he says:

I would highly recommend downloading the nms versions if you wish to learn CGI programming. The code you find at Matt's Script Archive is not representative of how even I would code these days. My interests and activies have moved on, however, and I just have not found the time to update all of my scripts. One of the major reasons for this is that they work for many people. For this reason, I will continue to provide them to the public, but am also pleased to make you aware of well-coded alternatives.

The author of the code you're using suggests something else as better designed, better implemented, and better maintained. We linked to nms and suggested nms formmail a number of times now. Stop being defensive and start defending other people using the Internet. The nms team very likely has fixed more classes of exploit by starting from scratch than you'll ever be able to work into the MSA version.

Just wanted to let you know I'm working on it. I'm not reading your post, though. Not helpful

Also not trying to spark more confrontation...I just don't need the sensations I'm getting from reading your words right now. I know you mean well.

What is it with these forums?

The problem is that your post looks like a troll. Seriously, formmail.pl in 2014? I remember trying to get people to break that habit back in the 90's. Oh, and yeah, you want to fix it with one of those fake bot trap "honeypots" from the 90's too. I feel sorry for you if you're for real but this quacks like a troll.

And the version of formmail is dated 1997. Believe it. I'm not a troll. Please don't feel sorry for me - I do that enough for myself. (Joke.)