Formmail Hijacked
What better way to celebrate the holidays than with email spam!
Yes, despite a few precautions I had already put in place, some kind soul still managed to hack my formmail.cgi script to send myself and who knows who else a ton of spam emails. It seems to have just happened yesterday, so I luckily caught it and fixed the problem pretty quick. I’m not sure if it’s even possible for spam emails to be forwarded to others with the script settings I have at Acne-Vitamins, but this is actually what many hackers do when they exploit formmail — use it to spam a ton of other people and make it look like the site that is hosting the script is to blame, when actually the webmaster of the site may not even know that they’ve been hacked. It’s a nifty little trick that nearly impossible to trace unless you have ip trackers set up ahead of time.
Forms are great way to make customer contact both user-friendly and secure, so here’s the big secret of how to avoid/stop these attacks if you’re hosting a site that uses formmail: Just rename the file!
I had already renamed my formmail script at Acne Vitamins to something else, but I still had the word “mail” included in the file name. Automated hacking programs are getting smarter, so I would avoid using words like “form” or “mail” altogether when setting up your file. As soon as I changed the name, the spam came to complete stop.
Of course, if someone really wants to hack your mailing script, there are going to find a way to identify and exploit your files. In this case, make sure to setup some tracking software, consider changing your file directories and properties, and if it comes down to it, there are also sites which will host formmail services for you on their own secure servers and integrate these forms right into your page.
