Chances are your reading this because you just got an email (or a few) about insecure scripts from hostmaster@lunarpages.com or you got an email stating that your script has been renamed.

Due to some recent exploits on some of the formmail installations lunarpages is actively disabling exploited/able scripts following the emails being sent out.

You are highly recommended to switch any formmailing scripts over to the nms-cgi script which can be found at:

http://nms-cgi.sourceforge.net/tfmail.zip

When you configure it there are a few things to consider:
1) Upload the file in ASCII format - this is a primary cause of 500 server errors
2) CHmod it to 755 (unless directions specify otherwise
3) The path to sendmail on the system can be found in the main CPanel screen (usually located in the left bar near the bottom.
4) Same with the path to perl on your server.
5) do not name it with a name that contains "mail" or "formmail". This is not a security issue as much as the fact that there are spammer robots that crawl the web looking for files with names that contain "mail" and are a script - which they then bomb with exploit techniques, hoping to get through. This puts an unneccessary load on the server, so choosing a different name is wise.


At this time, there have been no listing of php based scripts with exploits. I will update this if I hear of any such announcements.

The current list of banned form mailing scripts are as follows:
Matt Wright?s FormMail
EZ Formmail
Jack?s FormMail
Big Nose Bird
Twebman?s Mail script (The perl version)

If you are wondering how the exploits work on some fo these scripts, search the forums and you will see several examples of possible exploitable lines of code.

Please refrain from posting in this thread unless it is to update this list etc. If you need help installing a script, please start a new thread, or join in a current one.

Hope this helps!

- Ed (Kata)
Security/C++ Perl Moderator

I don't use form mail, but I received 3 emails from LP. I was spammed... lol

http://www.lunarforums.com/forum/viewtopic.php?t=12593

Is a wonderful tutorial written up by a lunarforums member to help everyone out! Take a look at it if you need step by step instructions.

Hello, I tried setting up TFMail (followed the instructions at http://www.lunarforums.com/lunarpages_how_tos/setting_up_the_tfmail_script-t12593.0.html) - I've tried setting it up 3 times now, and each time the email address I enter on the form I've created gets the copy of the information but the email address I setup to receive the information doesn't get a copy.... Any suggestions or tips? Is there another script other than TFMail that would work or am I the only one having the problem? Thanks for your help, this is driving me nuts!

I uploaded twice the recommended script in my cgi directory, and still it does not work. When I call to technical support they tell me that this is a webpage development issue and that they cannot help me. I am reading some articles advising to use php instead of perl (public_html instead of cgi directory) because there are a lot of problems with perl to upload it. I am a little bit confuse. I am getting help from other colleague in this forum, but still if Lunarpages encourages the use of perl...
Anyway, I hope anyone can help me. I uploaded the script correctly, but the webpage is badly created. I would need some support. Thanks

I checked all these points
1) Uploading in ASCII format
2) CHmod it to 755
3) Path to sendmail and to perl on the system
5) name other than "mail" or "formmail"

Note to anyone who uses the TFMAIL script. 

If you use a 3rd party for your email services (such as google or other 3rd party email providers), you need to contact support, have your MX records setup on the server, and your domain removed from "local domains".

Failure to do this will result in emails not being delivered from the form to your domain.