FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: CGI/Perl
Why doesn't my formmail script work?
Posted on 30 December 2003 06:51 PM
Due to recent, and increasing, exploits of formmail, FutureQuest has found it necessary to block any access to the following scripts:
/cgi-bin/formmail (any file extension)
/www/formmail (any file extension)
/cgi-ssl/formmail (any file extension)
And all CaSe Variations of the above, such as /cgi-bin/FormMail.pl

To prevent this widely used spamming technique FutureQuest now requires that everyone take one of the following steps:

1. If using a locally installed instance of formmail you must upgrade to version 1.92, which can be obtained at:
http://www.worldwidemart.com/scripts/formmail.shtml

Important Note: Access to the script is denied if the script is named "formmail" and resides directly within the /cgi-bin/, /cgi-ssl/ or /www/ directory. You can install it in a subdirectory, such as /cgi-bin/forms/, however it cannot be in the root of any of the above listed directories. (CaSe does not matter...any variation of the word formmail, such as FormMail.cgi or FORMMAIL.pl, still will not work.) When installing in a subdirectory, it is recommended that the name of the subdirectory is not "formmail" and that you change the name on the script to something other than "formmail".

Further information regarding installing and modifying mail forms can be found here:
How do I set up a web based email form?

2. Remove any local installations of formmail and use the pre-installed formmail script located in the server-wide cgi-sys bin. Information about this may be found at this location:
Instant Mail Form Generator

3. Highly Recommended Solution Replace the use of Matt Wright's formmail script with NMS formmail. "NMS formmail is a drop-in replacement for Matt Wright's FormMail script. It converts an HTML form submission to an email message.":
http://nms-cgi.sourceforge.net/scripts.shtml
See Important Note above.

***Note***: It is possible that even with upgrading to formmail version 1.92 and taking the above steps that someone may find a new exploit for this, or any other script. In any instance where FutureQuest determines that your domain is being exploited in sending spam via a mail script we reserve the right to immediately disable access to your cgi-bin until you can be contacted and a solution is found.