On Tue, Feb 05, 2002 at 08:39:26AM -0800, Professional Software Engineering
wrote:
If you must use it, ensure that you're using a version which permits you to
restrict the posting based on the referrer (which rather ironically, is
something the scriptkiddie could just set to be equal to the host that
they're requesting the script from, so even that's not really _secure_ -
just less wide open than the config the script kiddies are presently
searching for).
A good way to lock down a script like this is to restrict the recipient
email address with an ACL. The ACL could be maintained by hand, or via
a simple email authorization scheme. There's (obviously) been alot of
discussion on this on the spam-l list, and a rewrite of the script with
a recipient-based ACL and all of the known holes plugged can be found at
ftp://ftp.monkeys.com/pub/formmail/1.9s/.
--
Paul Chvostek
<paul(_at_)it(_dot_)ca>
Operations / Development / Abuse / Whatever vox: +1 416 598-0000
it.canada http://www.it.ca/
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail