The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel formmail being exploited

Discussion in 'E-mail Discussions' started by forlinuxsupport, May 7, 2008.

  1. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hey


    I have the cpanel formmail clone turned on the server (Tweak settings)

    Some sites however don't use / need it.

    I have found a spammer who is posting to the formmail and sending spam to the
    domain even though that domain doesn't use it.

    Here is the apache access log entry.
    194.8.75.204 - - [22/Apr/2008:07:18:09 +0100] "POST /cgi-sys/formmail.cgi HTTP/1.1" 302 280 "
    http://www.mysite.co.uk/contactus"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

    The site that is getting hit DOESNT need the cpanel formmail enabled.

    So how can I disable it for certain sites ?

    Would a redirect work ?
    E.g. RewriteRule ^cgi-sys/(.*)$ http://www.mysite.co.uk/ [L]

    So if they try access the formmail - just redirect them to the main index file.

    Can I turn it OFF for certain sites ? - is their a config file for this ?

    Cheers
    Andy
     
  2. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    will the redirect stop it ?
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I've encountered this issue myself beginning about a year ago. Unfortunately, there is no way to easily disable this on a per-site basis (Feature Manager only hides the icons).

    There's a feature request in the system to add a captcha capability to the FormMail clone to curb such spam: http://bugzilla.cpanel.net/show_bug.cgi?id=6530
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    There's a simpler fix. Check for \n and fields like bcc in the submitted fields and you'll stop your spammer dead in his tracks.

    Adding a captcha form may also be nice, but it's a lot more work.

    Cpanel should really fix this quickly; it's not good to be distributing software that allows spammers to operate open relays by default.

    Of course, the other method for stopping this without waiting for a cpanel update is a few well placed mod_security patterns! Like:

    Code:
       SecFilterSelective POST_PAYLOAD "Subject\:" chain
       SecFilterSelective ARG_Bcc ".*\@"
       SecFilterSelective POST_PAYLOAD "Subject\:" chain
       SecFilterSelective POST_PAYLOAD "\s*bcc\:"
       SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"
     
    #4 brianoz, May 14, 2008
    Last edited: May 14, 2008
Loading...

Share This Page