Web Application Spam Relays

Formmail is a common web-hosted script that can be used to accept email via a webpage form, and several makes of formmail script can be abused to send spam to any recipient. Other CGI scripts and web applications can also be abused to relay spam.

Web Application Spam Relay Security Alerts
Formmail Anti-Spam Honeypots
Alternative Formmail Scripts
Protect PHP
Web Application Vulnerability Scanning

Web Application Spam Relay Security Alerts

Most of these vulnerabilities use email header injection (CRLF injection), which uses carriage return and newline characters in submitted form fields to inject new header lines that are under the spammer's control.

Web Application	Security Advisories	Vulnerability Reference
Generic	Form Post Hijacking Email Injection Spam relay via web forms Spammercheck Fight-spam CRLF Injection	CWE-93
Alexandria-Devel	Alexandria-Devel could allow an attacker to bypass sendmessage.php filter	XFDB-11863
BizMailForm	BizMailForm security update	CAN-2005-0493 BID-12620 XFDB-19435
csMailto	CGIScript.net csMailto script could be used for mail relaying	CAN-2002-0751 BID-4579 XFDB-9805
Dotdeb PHP	Dotdeb PHP Email Header Injection Vulnerability	BID-21075
Free Customized Feedback Form	Prior to 10/05/2005 lacked variable sanitization, and as such allowed for CRLF injection	-
Form2Email	Some spam criminals found a way to circumvent security in earlier versions	-
FormMail	FormMail.pl Allows Unauthorized Users to Send Spam Formmail Anonymous Mailer Setting Up the FormMail Script	CVE-1999-0173 CAN-2001-0357 BID-2080 XFDB-6242
Forms To Go	My Forms To Go script is used to spam	-
Guidescope	Guidescope could allow an attacker to relay spam	XFDB-12732
Hypermail CGI Mail	Hypermail CGI Mail Open Relay Vulnerability	BID-6973 XFDB-11449
Mambo Site Server	Mambo Site Server contact.php script allows email to be sent anonymously	BID-8647 XFDB-13240
MIT Cgiemail	Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System	CAN-2002-1575 BID-5013 XFDB-9361
Movable Type mt-send-entry.cgi	Moveable Type Spam Vulnerabilities	-
osCommerce	Contact form issue/textarea bug	-
PHP	CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL	CVE-2007-1900 BID-23359 XFDB-33510 SA-24824
PHP-Nuke	PHP-Nuke mail CRLF injection	SA-7776
PHPFormMail	Form field allows you to specify to whom you wish for your form results to be mailed	BID-4704 XFDB-9097
PieterPost	PieterPost Anonymous Email Sending Vulnerability	SA-10321
WorldClient CGI	Alt-N WorldClient CGI Lets Remote Users Send Forged Mail	BID-6816 XFDB-11335 SA-8021
vbPortal	vbPortal Anonymous Email Sending Vulnerability	SA-10279

Formmail Anti-Spam Honeypots

Alternative Formmail Scripts

The most popular Formmail script has several security flaws. These alternative scripts may not have the same flaws.

NMS FormMail - nms-cgi.sourceforge.net/
dr. Jørgen Mash's FormMail.pl - moensted.dk/formmail/
Contact Form - ostermiller.org/contactform/
MailWebForm - freshmeat.net/projects/mailwebform/
SCForm - jimsun.linxnet.com/SCForm.html
Soupermail - soupermail.sourceforge.net/
Jack's FormMail.php - www.dtheatre.com/scripts/formmail.php
Tectite FormMail PHP - www.tectite.com/formmailpage.php
WebPro - www.geocel.com/webpro/

Protect PHP

Protect mail() from new line injection attacks with these hardening solutions for PHP.

Suhoshin PHP protection system - www.hardened-php.net/suhosin/
PHP Hardening-Patch - www.hardened-php.net/hphp/
Server peace: Individual security measures for PHP applications - www.heise-online.co.uk/security/Basic-security-for-PHP-software--/features/97299

Web Application Vulnerability Scanning

GamaScan - www.gamasec.com/ - free, online
Top 10 Web Vulnerability Scanners - sectools.org/web-scanners.html
Web Application Vulnerability Scanners - samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners
Web Applications Scanners - www.networkcomputing.com/rollingreviews/Web-Applications-Scanners/

everything you didn't want to have to know about spam

Hosted by spam.abuse.net, with help from Neil Schwartzman. Domain registration by Gregg DesElms. Logo by Art101.

This work is licensed under a Creative Commons License. SPAM is a trademark of Hormel Foods.

Page last updated: 26-Mar-2008