Thanks for your response.
I don't understand why the -T switch might be dangerous either. The ISP says
"It has come to our attention that one of the scripts on your site is spamming AOL users:
/secure/s/a/n/santastefano.com/cgibin/demo.pl
This is causing AOL to block legitimate emails originating from our servers. We strongly recommend that you update your script to prevent this. The script has been disabled until it is updated. Some guidelines for updating this can be found below:
For Perl/CGI users:
Although it is very handy to be able to use the "-t" switch with sendmail, these days it is opening yourself up to potential (and often very real) problems.
Putting the "-t" switch onto the sendmail command line causes sendmail to read through the mail headers in order to determine the recipients.
Usually, form variables are used to construct part of the headers, eg subject text, sender email address etc (ie these are printed into the email as part of the headers). Unless you are very careful, spammers can inject additional headers by putting newline characters into these form variables. This opens your script up to abuse.
The answer is to not use the "-t" switch with sendmail. Instead, you need to supply the recipient email addresses on the sendmail command line.
eg.
Intead of doing this:
# THIS IS BAD
$recip = 'fred@fred.com';<br>
$subject = $formvars{'subject'};<br>
open (MAIL, "| /usr/sbin/sendmail -t");<br>
print MAIL "To: $recip\r\n";<br>
print MAIL "From: Website Enquiry <>\r\n";<br>
print MAIL "Subject: $subject\r\n\r\n";<br>
print MAIL $message;<br>
close (MAIL);<br>
do this instead (the only difference is on the "open" line)
# THIS IS GOOD
<code>$recip = 'fred@fred.com';
$subject = $formvars{'subject'};
open (MAIL, "| /usr/sbin/sendmail $recip");
print MAIL "To: $recip\r\n";
print MAIL "From: Website Enquiry <>\r\n";
print MAIL "Subject: $subject\r\n\r\n";
print MAIL $message;
close (MAIL);
Additionally, do not allow $recip to be set from a form variable else a spammer will still be able to abuse it. Always hard code the recipient address into the script or in a configuration file.
The error message I receive is "Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root@cougar.dnsmaster.net and inform them of the time the error occurred, and anything you might have done that may have caused the error." I do not have access to the logs and have not received a response so far.
More information about this error may be available in the server error log.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.