Re^2: E-Mail responder

Thanks for your response.
I don't understand why the -T switch might be dangerous either. The ISP says
"It has come to our attention that one of the scripts on your site is spamming AOL users: /secure/s/a/n/santastefano.com/cgibin/demo.pl This is causing AOL to block legitimate emails originating from our servers. We strongly recommend that you update your script to prevent this. The script has been disabled until it is updated. Some guidelines for updating this can be found below: For Perl/CGI users: Although it is very handy to be able to use the "-t" switch with sendmail, these days it is opening yourself up to potential (and often very real) problems. Putting the "-t" switch onto the sendmail command line causes sendmail to read through the mail headers in order to determine the recipients. Usually, form variables are used to construct part of the headers, eg subject text, sender email address etc (ie these are printed into the email as part of the headers). Unless you are very careful, spammers can inject additional headers by putting newline characters into these form variables. This opens your script up to abuse. The answer is to not use the "-t" switch with sendmail. Instead, you need to supply the recipient email addresses on the sendmail command line. eg. Intead of doing this: # THIS IS BAD

$recip = 'fred@fred.com';<br>
$subject = $formvars{'subject'};<br>
open (MAIL, "| /usr/sbin/sendmail -t");<br>
print MAIL "To: $recip\r\n";<br>
print MAIL "From: Website Enquiry <>\r\n";<br>
print MAIL "Subject: $subject\r\n\r\n";<br>
print MAIL $message;<br>
close (MAIL);<br>
[download]

do this instead (the only difference is on the "open" line) # THIS IS GOOD <code>$recip = 'fred@fred.com';
$subject = $formvars{'subject'};
open (MAIL, "| /usr/sbin/sendmail $recip");
print MAIL "To: $recip\r\n";
print MAIL "From: Website Enquiry <>\r\n";
print MAIL "Subject: $subject\r\n\r\n";
print MAIL $message;
close (MAIL);
Additionally, do not allow $recip to be set from a form variable else a spammer will still be able to abuse it. Always hard code the recipient address into the script or in a configuration file. The error message I receive is "Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root@cougar.dnsmaster.net and inform them of the time the error occurred, and anything you might have done that may have caused the error." I do not have access to the logs and have not received a response so far.
More information about this error may be available in the server error log.

Comment on Re^2: E-Mail responder Download Code

Replies are listed 'Best First'.
Re^3: E-Mail responder by merlyn (Sage) on Nov 28, 2005 at 12:54 UTC
Since you get $subject from the form, a spammer can put a \n in the subject, and create an additional "to:" line. This is the source of the spam. Never take unchecked input and insert it into any part of a mail header. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^4: E-Mail responder by good2cu (Initiate) on Nov 28, 2005 at 14:55 UTC
Thanks. I am not very experienced in perl. I understand (I think) what you have said but can you give me a clue - pointer - as to how to check the input and avoid the problem? Best regards	[reply]
Re^5: E-Mail responder by larryp (Deacon) on Nov 28, 2005 at 18:17 UTC
Hi good2cu, Take a look at Ovid's CGI Course. Pay special attention to the parts that explain using Taint mode and untainting data. Furthermore, searching Perlmonks for "Taint" produces a number of good links, as shown here. HTH, Larry	[reply]