You’ve Got Mail…

Stephen Yagielowicz

No, this isn’t a sappy story about finding love in CyberSpace, or have anything to do with AOL and their now famous announcement to newbies the world over that another useless bit of electronic flotsam has settled into their ‘inbox’ – it is a tale of treachery, deceit, and vulnerability that we all can benefit from…

I’ve written before about the evils of SPAM – no, not the Hormel® processed pork product which I dearly love – but the Unsolicited Commercial Email (UCE) that floods my inbox on a daily basis. Today, however, I wish to begin a new rant, chastising the miscreants who impersonate me in an attempt to wreak havoc on others, and lay the blame at my feet. I have posted about this subject on the Cosmic Village Message Board, but with a noticeable increase as of late, I felt that it was time to revisit the subject – and since others of you may be vulnerable to these heathens as well, I am going to share some advice...

Noticing the Symptoms
Being constantly pre-occupied with both the major issues – as well as the trivial minutiae – of operating an e-commerce business, seemingly random and totally inexplicable occurrences tend to go unnoticed until they demand my attention. An increasing number of returned (bounced) e-mails, marked ‘undeliverable’ or some such, have been making their way into my inbox. Given the huge volume of mail I receive, and the filtering mechanisms I employ, anomalous mail sometimes stands out, and the e-letters in question became noticeable due to their similar traits:

A) They were all marked “undeliverable” and “returned” to

B) They usually contained subject lines or body text that were obviously not written by people who speak English as their primary language.

C) They were all addressed to people I do not know, and worse yet, to seemingly random e-mail addresses like – which (thankfully) bounced, hence being undeliverable.

D) They all contained viruses as attachments.

The upshot of all this is the realization that some ass-monkey is sending viruses hither and fro, and spoofing me as the sender! I scan all incoming and outgoing mail for viruses, and the addresses that are returned are not in my address book – leading me to believe that my machine is not possessed of some insidious virus that is emailing garbage to all of my friends and associates. Instead, I am one of the victims in an ongoing and confusing campaign which amounts to digital vandalism at best, and a premeditated criminal conspiracy at worst. While I hate to point fingers without having all of the facts, one URL that weaves its way through many of these bounced e-mails is – along with several variants thereof.

Since I am being spoofed, I hesitate to refer this e-mail address to younger and less scrupulous, yet far more technically advanced associates of mine, who (so legend says) have the ability to smoke this jamoch’s server, lest he be an innocent bystander as well. So what’s a boy to do? Tighten security as much as possible…

Holding Down the Home Front
While all of these attacks have been exclusively associated with my XBiz e-mail account, I maintain and use dozens of other e-mail addresses – one of the major ‘benefits’ of infinite mail-mapping across all of my own domains. While I have no administrative control over the servers and other technical assets that power XBiz and its sister products, I do have a level of control over my own properties, and have begun to tighten things up as much as possible. One area that I have looked into of late is my use of so-called ‘mail form’ scripts – server scripts which process form input and send the results via e-mail – and which can be ‘hijacked’ to send SPAM (and viruses), often without the knowledge of the site’s owner.

Like many Webmasters, I have long used the MailForm script (also known as, formmail.cgi, FormMail.cgi,,, or mailform.cgi in its various incarnations), the original of which is typically obtained from Matt's Script Archive. The SPAM vulnerability comes from not limiting access to the script to the domain that it is hosted on. If you have one of these scripts that you have done any significant customization to, or have setup to send e-mail to a domain external to your website (a common practice), then an inherent vulnerability allows others to exploit the script to send SPAM. Minor changes that will deny outside abusers access, and prevent them from sending e-mails inappropriately through this software, can easily be accomplished. Simply ensure that the Web page you use to submit user input to your mailform contains the e-mail address where you are receiving mail from that form. For example, be sure to include <INPUT type=hidden name="recipient" value="">. The e-mail address that you use must be within your domain – it cannot be, etc.

If you would like to have mail delivered to such an address using this form, and not upgrade to a non-exploitable script, simply rename the script to something other than the names on the list above, being careful to change the name of the script in your mail forms to the name of your newly renamed script. While your mailform script may still be vulnerable, at least the spammers are not searching for it by your custom name and thus will probably not find it.

There may be no fool-proof way to totally eliminate unauthorized mailings, but every operation can and should conduct periodic internal revues to uncover, and mitigate, the weaknesses and vulnerabilities that are present in even the best systems. Good luck, and if you happen to receive any unexpected emails from that have attachments with them, please be sure not to open them! ~ Stephen