|WARNING! WARNING! WARNING! If you use this service to send e-mail, your own IP address will be logged, both in the web server logs of the site(s) that you select to forward your message(s), and also in our own web server logs here. YOU HAVE BEEN WARNED! This web site and this service are for educational purposes only and may not be used for any form of commercial activities, nor for any form of harassment or other illegal activities. Al such activities are expressely prohibited, and the owner of this web site, and this web server take no responsibility for any possible misuse of this web site or the programs or data contained herein, or provided herein.|
The Formmail Anonymous Mailer allows users to compose arbitrary e-mail messages carrying arbitrary user-selected sender addresses, and to have those e-mail messages forwarded to arbitrary destination addresses via one or more FormMail.pl CGI scripts installed in various locations around the Internet. The submission of the e-mail messages to these various FormMail.pl scripts is fully-automated and actually takes place entirely from, and entirely within the client browser. There is actually no participation during any of these transactions by either the web server or the mail server at our location here.
As noted above, any user of the Formmail Anonymous Mailer will typically have their IP address logged (in the web server logs) of each remote site that the user elects to send a copy of his or her desired e-mail messages through. It should be noted however that many sites turn over (overwrite) their old logs on a very frequent basis, in some cases as frequently as once a day, so that anyone who feels damaged by having received an e-mail message by one of these unsecured FormMail.pl scripts (and who thus wants to trace back to the true originating IP address in order to find the real perpetrator of the message) may be entirely thwarted from doing so unless they are able to contact an administrator at the relevant (FormMail.pl hosting) site in a very timely fashion. However even in cases where this is done, many other factors may conspire to thwart the completion of the trace, for example language barriers, lack of experience on the part of the FormMail.pl host administrator (e..g a lack of understanding for even how to go about extracting relevant records from the local web server log files), or perhaps even site policies which prevent there from being any server logs created or maintained whatsoever. OF course all of this assumes that it is even possible for the message recipient to locate a current, valid, and working e-mail address for some caring, and suitably empowered administrator at the FormMail.pl hosting site. Even just that alone may often be problematic for a variety of reasons.
In summary, both old versions and even the latest version of the FormMail.pl script are a very bad thing to have installed anywhere on any of your web servers. There are many known flaws in the pre-1.9 versions of this script, including the exploit that allows unauthorized forwarding of e-mail, the exploit that allows remote command execution, and the exploit that allows information leakage of local environment variables. On top of all this, further investigation (by the developer of this\ web site) of potential unauthorized e-mail forwarding exploits within the 1.9 version of FormMail.pl has now made it evident that there remain numerous methods to trick the 1.9 version of FormMail.pl into performing forwarding of arbitrary, anonymized e-mail messages to any desired destination addresse, or set of destination addresses. Thus, if you have any version of the FormMail.pl script installed on any of your web servers, your are advised to remove it immediately. Also, please do not be lulled into a false sense of security just because you are using a ``security patched'' version of the FormMail.pl script. The ``security patched'' versions that are available publically have also been shown to suffer from multiple easily exploitable flaws.
More generally, we advise webmasters everywhere to stop and reconsider the security aspects and implications of any and all CGI scripts (and all other active components) installed on their respective web sites. As time progresses, standard services, such as SMTP, FTP, POP3, IMAP, and NNTP, and the software servers that implement them are, we hope, becoming more and more well ``shaken out'', and thus more and more free of remotely exploitable security problems. HTTP services however can be and are being extended in new and novel ways every day via the addition of new, and sometimes untested server-side active components, thus rendering the HTTP service, its associated port, and HTTP transactions generally ever more likely sources of new security problems.
Those interested in performing CGI security audits of their web sites/servers are encouraged to investigate whisker, a very sophisticated free CGI security auditing tool that scans a specified web sites for a really large number of known common CGI security vulnerabilities.