Actually, if you use telnet you can write your own headers and say 
you've been refered by whoever you want to say you were refered by and 
then use the script anyway, because you'll just say you came from 
someplace where they have a form. This script is very bad. I submitted 
an update to the archive which adds an additional constraint to it by 
allowing users to only send to certain domains or only certain 
addresses, but I never received word back so I had assumed that the site 
was not very actively maintained.

Any script you write that allows a user to sendmail should ALWAYS CHECK 
THE RECIPIENT to make sure it's not just anyone. I've quit using that 
script in favor of my PHP script that just translates keys given in the 
form into real addresses so that the formmail doesn't even really get 
the ability to send to just anyone.


PS - If you or anyone else is interested in the script, I can send it to 
them. (If I get a lot of requests I just post it on my web site since 
Matt's Script Archive never posted my update.)

Thomas Deliduka wrote:

> This is a classic case of someone not having from Matt's Script
> archive locked down.
> I found it very interesting that while Matt's Script Archive is setup to
> block you from using someone else's form as a referer to yours to prevent
> the use of your script from another server, he simply allows you through if
> you have no referer at all. And that's how someone used our server several
> times about 6 months ago. If you format a perfect querystring and simply hit
> enter on the browser, you can successfully send many people e-mail through
> if it's not modified to block 'no referer' references.
> On 7/26/2001 8:29 PM this was written:
>>Below is the result of your feedback form.  It was submitted by
>>([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47
>>: Join for free Today.
>>Free Memberships. No Credit Cards Needed.
>>HUGE Celebrity selection from Jennifer Lopez to Britney Spears.
>>Also Specializing Streaming Video, Live sex shows for every desire!
>>This isn't one of those crummy scams where you have touse a credit card!
>>Take a look and you'll see.
>><a href="aol://2000:";>Enter Here</a>
>>You recived this email because you subscribed to a mailing list. If you would
>>like to be removed from this mailing list please <a
>>href="mailto:[EMAIL PROTECTED]";>Click Here!</a><BR><BR><BR><BR><BR><BR><BR>
>>PHP General Mailing List (
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>To contact the list administrators, e-mail: [EMAIL PROTECTED]

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to