It's 8:49 am CDT and my website is down.

I haven't seen any scheduled maintenance on the Powweb Forum on the neptune server which is the one that my website is on...

Any specific reason why my website is down? Anyone else on magnatar experiencing the same problem?

Any news on this?

I'm on the magnatar server....

Oh, I don't know.

John, I can't see your site, but I'm on terra & mine is working (for how long, I don't know) Jusy FYI

and it is working fine....it's now 8:20 pm Pacific time.

Rancher

Everything looks great for me. No problems what so ever. :)

And taking snapshots of the terra.powweb.com and keeping track of the time it is down per advisement.

:-)

paaw.com was disabled by admin for failing to comply w/ an admin request (2x) and disable an open form mailer w/in their cgi-bin.

Make sure to read your package history area and the "README" file left in your home directory (2x).

ps: fire your "advisor" they are not helping. ;)

Well?

Why did I not get one sent to my e-mail address? What's wrong with that formail script anyway?

John...

I'm not an admin, and I don't speak for them in anyway... but from what I gathered from Starr's post...

Your form mailer is set where people can use it to e-mail ANYONE. This makes it really easy for spammers to use your mailer to send spam to a whole bunch of people. You need to set it to send the e-mail only to you, or restrict it somehow so it can't be abused.

Starr can give ya the details and explain it... but that's just MY interpretation of it. Hope that helps!

Your right, I only want "Me" using it and I only have it there to receive email from the site itself. I certainly dont use it to send as I have all my mail done through everyone.net as far as answering replies.




As soon as I can get in there, I'll fix it wherever the fix is supposta be.

Cool! :)

I think that will make the Admins happy. Just to expedite getting access back to your site, you might want to either Private Message Starr or e-mail admin@powweb.com and let him know of your intent to fix the script and ask he give you access to FTP and such.

Once everything is taken care of, I'm betting they'd be happy to take care of everything for ya!

Good luck!!

Oh.... by the way... PowWeb offers a free mail script to allow your visitors to submit info via a form and have it e-mailed to you. Read more about it:

http://powweb.com/support/formmail.html

It might be better to use that than to completely try and configure a script on your own if ya are not completely sure of what to do.

It may be of use to ya, it may not. But it's there just in case.

I actually use the one from Matt Wright himself. Perhaps they want me using theirs instead.

Or it could be something was just not set correctly that left a vulnerability open in your mailer that could be used to let spammers send spam from your form.

Just a thought. (cause ya know it's easy for those little things to slip by at times! ya catch it later after ya realize it works and ya can quit pulling ya hair out!)

But Just shut my site down and only send me a message through ops as Star stated is customer friendly?


I admit they need to control this, and I certainly don't want my site being used for spam, But just so you'll all know, He shut down my site without ever sending any e-mail of any kind to my e-mail address that's listed in Ops for that domain.


Period.

Make sure to read your package history area and the "README" file left in your home directory (2x).


Actually all that was there outside was something called dead-letter, no README file. Just want to get it fixed.

I'm just curious...

Is it really PowWeb policy when they shut someone down to only post info in the package history and not send email or make a phone call?

Everything in my "Package History" file is nothing but a copy of what was emailed to me, so I'm inclined to belive that perhaps John either missed the email or it got lost in transit.

Either way, I'd like to be sure... I certainly do not routinely browse my Package History records, and it's not the first place I go when encountering problems with my site. Maybe it should be something I browse every once in a while?

Ken

They Should have contact me direct via e-mail or phone to inform me as they do have that Information.

However, if the script can be accessed by others on the net from my cgi-bin (scary) to use from my domain to send spam mail, I am certainly glad I found out now because I certainly do not want that. I'd rather the site be down till it can be resolved.

I looked at the script on my computer and this is what it states and what I beleive the problem is.

------------------
$mailprog = '/usr/sbin/sendmail';

# @referers allows forms to be located only on servers which are defined #
# in this field. This security fix from the last version which allowed #
# anyone on any server to use your FormMail script on their web site. #

@referers = ('mail.paaw.com','paaw.com', 'www.scotishplay.com');

----------------------

My guess it should state paaw.com alone?

"mail.paaw.com",

was the URL my visitors could access the sign up with everyone.net free e-mail address and I included it in there from a prior web host because I wasn't getting mail to my e-mail accounts that were from everyone.net. Actually it should not be there anyway, I just forgot about it, as I no longer use that URL address but paaw.mail.everyone.net, where it's a pain if you change web hosts to keep asking them to set it back to mail.paaw.com. Paaw.com only had 2 web hosts since its existance in 98 so I hardly find my domain or myself a problem child.

scottishplay.com, is another domain hosted by powweb and rather than set up another formail.pl in its directory, I just included it on the Paaw.com domain.

That's what I've done, that's all I know

John:

I'd recommend that you just go download and deploy the latest version of Matt's FormMail script. That way, the PowWeb people don't have to search the whole script to see that you've manually closed the security holes in older versions... They can just look at the version number and be somewhat confident that your script is secure.

In my opinion, that's the easiest solution.

One other suggestion that I've read here in the forums that I happen to agree with is to hard code the recipient. That way, regardless of the refferrer, the script can't be exploited. Sure, it's less flexible, but it's not all that hard to deploy multiple versions of the same script, each with different hard-coded recipients.

Ken

I also read what's on Matt's web site, which I have not been to in a long time. Scary!

Thanks Ken.

forgive my ignorance, but could you elaborate in simple terms what you mean?

One other suggestion that I've read here in the forums that I happen to agree with is to hard code the recipient. That way, regardless of the refferrer, the script can't be exploited. Sure, it's less flexible, but it's not all that hard to deploy multiple versions of the same script, each with different hard-coded recipients

Thanks!
Rancher

Actually, NMS FormMail is better:

http://nms-cgi.sourceforge.net/

Sure, Rancher... Explanation follows:

The FormMail script from Matt's Script Archive is configured to accept, via web form submission, a variable called "recipient". The script, in essense, takes the contents of a web form and packages it up into an email message that gets sent to the email address that is defined by the "recipient" variable.

Now, what the spammers do (to mask their activity) is set up their own script that itterates through huge lists of email addresses. Their script calls the unprotected FormMail script passing the body of THEIR intended message, and setting the "recipient" variable with each itteration to each address on their huge list. When the spam email is received, the true identity of the spammer is masked by the fact that it is the unprotected FormMail script (and the sendmail function of the server that hosts it) that is the originator of the message.

What can be done as a foolproof protection against this, however, it to modify the FormMail script so that it no longer takes or pays attention to the recipient variable as an input argument. Instead, you simply hard code the email address that you want your script to use as the recipient. It does a spammer no good to try to exploit that script, because there is no way for him to vary the recipient.

Hope this helps... I'd write more, but I gotta go.

Ken

I'm just curious...


Is it really PowWeb policy when they shut someone down to only post info in the package history and not send email or make a phone call?


Well Ken, I don't know when you'll get your answer, but thanks for your input.

We treat each case individually. In this case, we disabled the FormMail.pl in the users cgi-bin and left a README in their home directory w/ a statement of what happened and why (2 times). In both cases, the user (or someone working for the user) logged in and ignoring the README re-enabled the FormMail.pl script.

So, in regards to this user, yes, we disabled their web site for ignoring 2 requests by admins to fix their FormMail.pl script.

I am the only one with the keys to the car as far as FTP, and the only thing I saw was a dead-letter, which also comes with the suggest site script within the paaw.com directory, which now I will be removing as it really serves no purpose to me.

When I seen the dead-letter with "NO" README file, I thought I acidentally ftp'd it over to the server as we all know, we sometimes ftp the incorrect page ...etc.



I don't know Star, but the other host I had always e-mailed us when something was New, when something changed. You got to remember that alot of scripts come with the README file and that people can make a mistake where they actually ftp the README file onto the server, I have actually done it before along with incorrect.html files.

But, I think the way Powweb approaches the "Individual cases" should be looked at as how you conduct them. I think the site owners would all agree that they should be notified via e-mail or by phone as to the potential problem.

Actually, Powweb saved me from a potential hazard that I was unaware of not visiting Matts site on a regular basis. The README file is now in there without the dead-letter as I deleted the dead-letter because I thought I accidentally ftp'd it there. So no, I didn't read the dead-letter, which was the only text file that was present.


I hope this had given you an idea of what happened in terms of paying attention to your requests as I thought it was an ftp send to the server of my own doing.

So I hope in the future they'll contact me via email or by phone.