Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

davorg (18)

Yahoo! ID: daveorguk (Add User, Send Message)

Hacker, author, trainer

Technorati Profile []

Journal of davorg (18)

Thursday October 03, 2002
09:07 AM

When Drop-In Replacements Aren't

[ #8155 ]

The nms scripts are advertised as being "drop-in replacements" for Matt's scripts. This is largely true, but there are a couple of caveats.

  1. They are drop-in replacements for Matt's version 1.9. Anything earlier than that is just beyond help.
  2. We have an $emulate_matts_code flag. If it's unset then the scripts more secure, but the the "drop-in replacability" drops.

It's the first of these that is causing us some problems recently. The nms project seems to be becomimg pretty well-known around the web. A lot of ISPs have seen Matt's formmail being used as a spam relay and have changed to our version.

But in many cases the version of Matt's script that they were using was 1.6. This version is infamous for having absolutely no protection against being used as a spam relay. You just set the script up on your server and anyone could use it. So that's what a lot of ISPs seem to have done. They've set up the script on one central server and tell all of their clients to configure their HTML form to use that script.

Now they've installed the nms version of formmail. They haven't read much of the documentation (because, hey, it's a drop-in replacement!) so they don't know that you now have to give it a list of domains that are allowed to use the script. This means that none of their clients' domains are permitted to access the script and anyone who tries to use a form on a client's site gets an error message. And the default error message has a link to nms in it - so the client's client thinks it's all our fault so we get another email to the support mailing list.

There should be some sort of intelligence test for running an ISP.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.