Problems with FormMail - Don't worry I know what I'm doing!
- In this story a web master refuses to acknowledge that the security issues on their website are invalid. After all, he's been working for 20 years!
Last Updated 1 Week(s) ago
Most of the time I am called into environments only after an attacker breaches the environment. Being able to be proactive with a facility is a luxury, especially when the owner is not security savy. In this case, the site in question was using the FormMail tool (which Most ISPs have banned due to the security issues this tool imposes).
Of question by the webmaster was a number of emails which the tool permitted (there was no use of a turing test or Catcha). Since the FormMail tool does not validate that the request is from an automated process or a human being, it is easy to get it to send a thousand or more messages, to the administrator or to ANY Other Email (i.e. be used as a SPAM Bot).
We cannot make people understand the issues of the security problems of their systems, and seemingly trying to stop them from shooting themselves in the foot is not what they want to hear.
