Posted by wayne on 11/16/06 03:36

Jonathan N. Little wrote:
> address in a hidden file!!! An absolute spam relay form! The send to
> address should either be hard-coded in the server-side script or pulled
> for a configuration file not accessible to the public. To OP *do not*
> use such a script.
>
>

If you noticed, the email has characters that are replaced on the
server. In addition, the allowed addresses are hardcoded in the
formmail script, server side. You cannot change the address in the form
and have it go any where else except those addresses or domains (if you
have many addresses at one domain) selected by you. Any one attempting
this will generate a message to the administrator, complete with IP
address of offending client. Too many attempts allows you to block the
domain.

There is also an option to place all of the addresses in a configuration
file so none are in any way visible. I just took the easy way out.

You could download the file and examine the code yourself (heavily
commented so you know exactly what is going on).

Regards,

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg

[Back to original message]