I run a small mailing list for a few friends. A few months ago we encountered a problem whereby one of the recipients companies introduced a mail filter which searches mail for certain words. If it finds those words, it quarantines the message and the staff member gets into some trouble. In order to avoid words like that from slipping through, I wrote the following perl script to manage the list and filter the words that the filter seems to catch. I would like to apologise for anyone that may be offended by some of the contents of this code.

The addresses have been taken out and replaced with fictional ones: 

#!/usr/bin/perl
#
# Written by: Marc Silver <marcs@draenor.org>
#
# $Id: filter-mail-authenticate.pl,v 1.25 2001/08/08 08:58:24 marcs Ex
+p $;
#
# #

my( $sendmail ) = "/usr/sbin/sendmail"; #location of sendmail
my( $logfile ) = "/tmp/filter.log"; #location of logfile
my( $myaddress ) = "list\@draenor.org"; #list address
my( $listadmin ) = "marcs\@draenor.org"; #admin address
my( $modify_subject ) = 0; #modify the subject?
my( $approved ) = 0; #this must be 0
my( $log ) = 1; #set to 1 to log

umask 0133;

@real_recipients = ( "user\@draenor.org",
                     "erp\@iafrica.com",
                     "user\@iafrica.com"
                   );

$message = "";

open( LOG, ">> $logfile" ) if( $log );

while( <> ) {
  if( /^From ([-a-zA-Z0-9_.@]+) .+$/  && ! $sender ) {
    $sender = $1;  
    print LOG "Sender found: $sender\n" if( $log );
    next;
  }
  if( /^Subject: (.+)$/ ) {
    $original_subject = $1;
    if( $modify_subject ) {
      print LOG "Subject modified\n" if( $log );
      s/$1/[friends]: $original_subject/;
    }
  } 
  s/fuck/f***/ig;
  s/shit/s***/ig;
  s/shat/s***/ig;
  s/cock/c***/ig;
  s/cunt/c***/ig;
  s/pussy/p****/ig;
  s/whore/wh***/ig;
  s/bitch/b****/ig;
  s/asshole/a**hole/ig;
  s/bastard/b*st*rd/ig;
  s/crap/cr*p/ig;
  s/^\.$/. /;
  $message .= $_;
}

if( $sender ) {
  foreach $recipient( @real_recipients ) {
    if( $recipient eq $sender ) {
      $approved++;
      print LOG "Sender matched: $recipient\n" if( $log );
    }
  }
} else {
  print LOG "ERROR: No sender found\n" if( $log );
  open( MAIL, "|$sendmail $listadmin" );
  print MAIL "No sender found.\n\n";
  print MAIL $message;
  close( MAIL );
  exit 0;
}

if( $approved ) {
  open( MAIL, "|$sendmail @real_recipients" );
  print MAIL $message;
  close( MAIL );
  print LOG "Message [$original_subject] sent\n" if( $log );
} else {
  print LOG "Sender not matched\n" if( $log );
  open( MAILADMIN, "|$sendmail -f $myaddress $listadmin" );
  print MAILADMIN "$sender was rejected sending to the friends list.\n
+\n";
  print MAILADMIN "Message contents:\n\n $message\n";
  close( MAILADMIN );
  open( MAIL, "|$sendmail -f $myaddress $sender" );
  print MAIL "You are not subscribed to this list and may not post to 
+it.\n";
  close( MAIL );
  print LOG "ERROR: Message denied. Admin / Sender notified\n" if( $lo
+g );
}

close( LOG ) if( $log );

[download]
My question is this: is this script secure? Is there a better way to do this while still validating the addresses? Security is my main concern here, so I wanted to run this past those with more knowledge than me. :)

Thanks,
Marc

Edit: chipmunk 2001-08-12

In reply to securing code by marcs

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.