Re: form+subscription+Perl+sendmail = TROLL

Hi you appear to be using cgi-lib.pl to parse your input which is outdated, you will find CGI more reliable. Anyway a stepwise approach is in order to debug.

1) Check your sendmail routine works:

my $to      = 'me@my_email.com';
my $from    = 'nobody@nowhere.com';
my $subject = 'test message';
my $body    = 'message body';

sendmail($to,$from,$subject,$body) or err_trap("Sendmail Choked");
[download]

Having proven that your sendmail routine works check to see that your script is getting the input you expect, Data::Dumper is a handy way to output the entire %in hash:

use Data::Dumper;
$email= $in{'EMAIL'};
$mserv= $in{'ELIST'};
print "Content-type: text/html\n\n<pre>\n";
print Dumper \%in;
print '</pre>';
exit;
[download]

If that does not reveal the problem then it may be that your ISP's domain (sendmail is using this in the headers) may be on your target mail recipients spam haven list and has been banned.....

One reason that domains get banned is because people (like you) write insecure scripts (like yours). The 'hidden' field for the to address lets me use your CGI to send mail to anyone@anywhere.com with a from address of spammer@someones.open.gateway.com

As it happens I know your sendmail routine works because I spammed myself with a test message simply by typing this into my browser address bar (of course I could have used LWP and sent 1,000,000 messages killing your mail server and flooding my enemies)

http://www.afoto.com/cgi-bin/boo/amail.cgi?ELIST=jfreeman@tassie.net.a
+u&EMAIL=nobody@nowhere.com
[download]

You must 'hard code' the to address in your script. If you want to deliver to lots of addresses you should store them in a data structure and use 'ELIST' to select the desired address, that way the only available target addresses are yours....

Update

Your mail server is using anonymous as its return path which may well be the problem. Here are the headers from my test spam via your script:

Return-Path: <anonymous@hercules.dns-solutions.net>
Received: from hercules.dns-solutions.net (hercules.dns-solutions.net 
+[209.66.124.56])
    by perseus.tassie.net.au (8.12.6/8.12.6/RG2.3) with SMTP id gA60ux
+p7000438
    for <jfreeman@tassie.net.au>; Wed, 6 Nov 2002 11:57:00 +1100 (EST)
Received: (qmail 3141 invoked by uid 441); 6 Nov 2002 00:56:59 -0000
Date: 6 Nov 2002 00:56:59 -0000
Message-ID: <20021106005659.3140.qmail@hercules.dns-solutions.net>
To: jfreeman@tassie.net.au
From: nobody@nowhere.com
Subject: subscribe
X-UIDL: Moa!!,#]!!9dU"!0[G!!
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: form+subscription+Perl+sendmail = TROLL Select or Download Code

Replies are listed 'Best First'.
Re: Re: form+subscription+Perl+sendmail = TROLL by vnomad (Novice) on Nov 06, 2002 at 01:57 UTC
Aj, aj, aj- I am blushing! But really appreciate the lesson, still. I put access to the $to variable in the form in order to find out if it would mail to myself, testing the sendmail mechanism. But, in my testing frenzy the potential abuse did not occur to me. As soon as a upload finishes I'll take it out, and change the variable name. Will that be a bit safer then? I'll try the header hypothesis, and check the parsing. I am using a modified version of the old "readparse." (Brenner's?) Again, thanks. I feel some hope now (mixed with shame, fear, and trembling) Dagfinn Volda, Norway, where trolls dance on the telephonewires	[reply]
Re: Re: form+subscription+Perl+sendmail = TROLL by vnomad (Novice) on Nov 06, 2002 at 04:29 UTC
Dear tachyon, I was wondering why this <anonymous@hercules.dns-solutions.net> kept getting subscribed ... So the mailinglistprogram grabs the Return-Path:, not the From: in making subscribers? It's early morning in northwestern Norway, after a long night of trying to eff the ineffable. Maybe a workaround will come to me in tortured dreams, or maybe someone here will have pity and suggest something . . . Or maybe it can't be done with a button on a form if the server's mailheader is that way? ps. I have removed the offending <INPUT...> -Dagfinn- Volda, Norway, where trolls dance on the telephonewires	[reply]
Re: Re: Re: form+subscription+Perl+sendmail = TROLL by iburrell (Chaplain) on Nov 06, 2002 at 21:18 UTC
The mailing list program ezmlm does use the Return-Path from the mail as the address to subscribe and the one is sends the confirmation mail to. The Return-Path is the SMTP envelope sender set with the MAIL FROM command. You usually can't forge this on Unix machines when going through the sendmail process. You can set this when talking directly to the SMTP server but many SMTP servers have limitations on what address they accept. If you are talking to your own mail server, you can configure it to accept these messages but make sure you don't allow your mail server to become a spam relay. I would argue that ezmlm's behavior is wrong. It should use the From: header to determine the address to subscribe. Its behavior inhibits what you are trying to do of generating a subscription message on behalf of someone else. By forging the Return-Path all bounces messages will go to the user. They really should go to an address that you look at. It doesn't provide any extra security from forgery or spam because the return-path is as easy to forge as the From: header. You probably don't have any choice in which mailing list program you are using. If you have control of the mailing list, you might want to check if there is some way you can change this behavior. Or if there is some way to access the subscription process.	[reply]
Re: Re: Re: Re: form+subscription+Perl+sendmail = TROLL by vnomad (Novice) on Nov 07, 2002 at 01:01 UTC
Greetings, and good news. But first, thanks for all the generous help I am receiving! I also assumed that it might not be possible to `forge' the Return-Path header, but decided I would try anyhow, and added the line `print MAIL "Return-Path: $from\n";` [download] to my soup. To my surprise it worked, and the subscription button works fine now. That header was disturbingly easy to change . . . Now I need to take a closer look at security. But it sure is nice to have overcome this particular troll. Since I am hosted by `Prohosting.com' I took what they have given, and that is ezmlm for a mailing list. Thanks again to all that had mercy on my little silly predicament! Dagfinn Volda, Norway, where trolls dance on the telephonewires	[reply] [d/l]