How to secure Perl scripts from spammers?

[rbaker3]

Recently I've had some spammers take advantage of some scripts on my
web server that use sendmail. I'm not sure which script or scripts
they are using, but my ISP has received complaints and has shut down
Sendmail until I secure things. What can I do? Some guy tells me he
can add some code to some scripts to secure them for a charge of
$65/hr. I don't really want to have to pay him if I don't have to and
I don't know how long it will take him and if he will actually secure
them. He mentioned something about using securemail.pl(whatever that
is) and untainting. My ISP says if I do some basic things to secure
my scripts, he will turn sendmail back on. I really don't want to
have to rename scripts and move them to different dirs, because I
would have to change the HTML code on a "lot" of pages referencing the
scripts. Some scripts I have installed are Subscribe Me Pro,
ImageFolio, CopThis, Ultimate Bulletin Board, VBulletin.

thanks....

 

[Greg Schmidt]

Recently I've had some spammers take advantage of some scripts on my
web server that use sendmail. I'm not sure which script or scripts
they are using, but my ISP has received complaints and has shut down
Sendmail until I secure things. What can I do? Some guy tells me he
can add some code to some scripts to secure them for a charge of
$65/hr.

My understanding is that most such problems arise when you have a script
that accepts an email address as a form parameter (usually hidden, but
it's there anyway). I say "most" because it's quite possible there are
other problems.

If you only have one address that you're sending mail to, it may be easy
to fix: just hardcode the address into the script instead of reading it
from the form. In the case of multiple addresses on the same domain,
you could get the username from the form (but carefully checked for
typical hacker tricks) and then append the domain name.

More general solutions include things like defining (in the script) a
list of valid email addresses to send to and rejecting anything not in
that list. These more general solutions are of course more
time-consuming and technically challenging, and I'm sure there are lots
of people here who would charge in the neighbourhood of $65/hr to do it.

Before you get too far into things, I'd do some web searches for the
various scripts you are using plus the word "security" and see what
turns up. It may well be that the scripts have well-documented problems
(which might come with either solutions, or recommendations to change to
a better alternate). Chances are very good you're not the only one to
run into this.

I don't really want to have to pay him if I don't have to and
I don't know how long it will take him and if he will actually secure
them.

All valid concerns. Please don't be expecting people here to do the
same work for free, though. Advice is free, work costs!

He mentioned something about using securemail.pl(whatever that
is) and untainting.

I'm not familiar with securemail.pl but untainting is definitely
something you want to do with all data submitted to your scripts.

I really don't want to
have to rename scripts and move them to different dirs, because I
would have to change the HTML code on a "lot" of pages referencing the
scripts.

Renaming or moving your scripts might be a very temporary measure. If
you are being specifically targetted (rather than just being caught by
people looking for well-known script holes on random servers) (and I
have no reason in this case to believe one or the other is more likely),
then they will just look at your modified pages and find the new place
to attack.