I'm not sure what is going on. I just got an e-mail from abuse stating that i needed to clean up my email list because people have complained about it being spam. The problem is that i dont run an e-mail list!

At first i thought it was the script i was using on my contact page so people could just fill out the form. So i got rid of that script and went on a search for the one powweb supplies. Turns out it WAS the one powweb supplies. (saveform.pl) So now i'm not sure what is going on as i don't run any other mail scripts on my site.

Is it possible that powweb's saveform.pl script is screwed up letting somebody use it for spamming?
In all reality i don't care if i can't use that script, but i need to know that it's not something else going on.
Thanks
Mike

The script PowWeb supplies is insecure and nobody should be using it. Its only saving grace is that the filename provided is not one that spammers typically look for, but otherwise it is the long-discredited "Matt's Form Mail". It would not astonish me that spammers have figured out the new name and started pinging for it.

The simple thing you can do is to edit the script so that it has a fixed "to" address (assuming that you're using it as a 'Contact Us' form) and change its name to something unusual. You can then remove your address from the form parameters passed in. A form that sends to only selected users is useless to a spammer.

If you want something more general purpose, there are some alternatives. Some require more effort than others to set up. There's one called Alienform. http://www.spamcop.net/fom-serve/cache/270.html describes others.

Steve
Thanks for the reply. That makes me feel much better. I'm going to look into doing exactly what you said.

BTW Can you tell me whether i'd be better off just making a sendmail style script with php or would that be just as unsecure as the perl one?

Thanks again
Mike

Whether it's in PHP or Perl doesn't matter. What does matter is whether or not the script can be subverted. If a script sends only to a restricted set of addressees, then it should be fine. The version I use just specifies addressee numbers in the form, which are converted to the appropriate address in the script. Checks on referrer domain are easily bypassed.

For forums that allow users to send mail to other users, it should allow only registered users to send, should allow only registered users as addressees, and ideally should have some sort of "are you a human?" test on the form or registration.