Limiting script to specific IP

[diabolka]

I inherited several scripts that are being used, one of which is a mail script that is generic enough to allow any form at a given site to use a single copy of it. Basically, using hidden fields on the HTML page, you can call the script and it will email the necessary information.

The problem is that anyone can put it on their website and trntit will work. So my first week on the new job, I'm told that our mailservers have been blacklisted due to spamming which makes sense based on the script. I was wondering if anyone can help me and let me know is there an easy way to limit what IP the script allows the from to be called? Everything is on one server with a specific IP so anyone using the script that is coming from a different html page on a different server would be blocked?

Please advise. Thanks in advance for your help!!!

------
Script
------

# We use the CGI module.

use CGI;

# We want fatal errors to appear in the browser.

use CGI::Carp qw(fatalsToBrowser set_message);
BEGIN {
sub handle_errors {
my $msg = shift;
print "<h1>Form Response Error</h1>\n";
print "<p>The following error occured while processing your form response:</p>\n";
print "<pre>$msg</pre>\n";
print "If you cannot resolve the error, please contact <a href=\"mailto:$webmaster\">the Webmaster</a>, giving this error message.";
}
set_message(\&handle_errors);
}

# Try to avoid a DoS attack

$CGI:OST_MAX = 32768; # max 32K POSTs
$CGI:ISABLE_UPLOADS = 1; # no file uploads

# Get the CGI query from the POST and GET variables.

my $q = new CGI;

# Extract the fields with special meaning to this script.

my @names = $q->param;

my $owner_email = $q->param(owner_email) . "@$owner_domain";
die "Owner_email is required." unless $owner_email =~ /[^@]+@[^@]+/;

my $owner_name = $q->param(owner_name);
die "Owner_name is required." unless $owner_name;

my $owner_addr = "$owner_name <$owner_email>";

my $email = $q->param('email');
die "Your email address is required." unless $email =~ /[^@]+@[^@]+/;

my $name = $q->param('name');
my $addr;
if ($name eq '') {
$name = 'Unspecified';
$addr = $email;
} else {
$addr = "$name <$email>";
}

my $back_url = $q->param(back_url);
my $back_name = $q->param(back_name);

my %style;
$style{'src'} = $q->param(style_src) if $q->param(style_src);
$style{'code'} = $q->param(style_code) if $q->param(style_code);

# Format the contents, excluding the special fields, but including the
# responder's name and email.

my $contents;

foreach $x (@names) {
$val = $q->param($x);
$contents .= "$x: $val\n" unless
$x eq 'owner_email' or $x eq 'owner_name' or
$x eq 'back_url' or $x eq 'back_name' or
$x eq 'style_src' or $x eq 'style_code';
}

# Send the mail to the owner

use Mail::Sendmail;

%owner_mail = ( smtp => 'xxx.xxxx.xxx',
To => $owner_addr,
From => $addr,
Subject => "$name has responded to your Form Return:",
Message => $contents );

sendmail(%owner_mail) or die "Error sending mail to form owner: $Mail::Sendmail::error";

# Send a confirmation mail

#%conf_mail = ( smtp => 'xxx.xxxx.xxx',
# To => $addr,
# From => $owner_addr,
# Subject => 'Form Response Confirmation',
# Message => "Thank you for filling in the following information:\n" . $contents );
#
#endmail(%conf_mail) or die "Error sending confirmation mail: $Mail::Sendmail::error";

# Create the results page

$contents =~ s/&/&amp;/g;
$contents =~ s/</&lt;/g;

print
$q->header,
$q->start_html(-title => 'Thank You',
-style => \%style),
$q->h1('Thank You for Filling In the Requested Information'),
$q->p("Thank you for filling in the following information:"),
$q->pre($contents),
$q->p("Please contact us with any questions.");

if ($back_url and $back_name) {
print $q->p("<a href=\"$back_url\">Back to $back_name</a>");
}

print $q->end_html;

 

[PaulTEG]

Google for nms-formmail, the one above looks like Matt Wright's code, and has a history of being used regulalry by spammers.

nms which I think means "not Matt's Script" is a more secure rewrite of all of Matt's Scripts, as he himself doesn't have the time available to update them

HTH

Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments ;-)

 

[KevinADC]

yes, nms-FormMail or even better TFMail by the same group:

http://nms-cgi.sourceforge.net/

that's definetly not Matt Wrights formmail script, even Matts is probably better than that one.

- Kevin, perl coder unexceptional!

 

[diabolka]

I realize that I need to change the scripts but in the meantime, I need an interim solution in place using this script.

After my $q = new CGI;, if I use something like this:
die unless ($q->remote_host() eq "my.host.name" || $q->remote_host() eq 'aaa.bbb.ccc.ddd');

isn't going to work as I want it because I need folks to access the script from outside my.host.name ... how can I define it so that the script makes sure that the form is on

http://www.host.name

and not on someone else's server like

http://www.usingscript.com

Also, I was thinking of locking it down to the owner_name since each form (this site has over 15 forms that use this script) has hidden fields that define the owner_name which the output is sent to...so why doesn't this work? This would be listed under the other similar ones after $q = new CGI; :

my $owner =$q->param(owner);
die "You are not allowed to use this form." unless ($owner =~ m/^(blah@blah.com|blah2@blah.com)$/);

Please advise a walking pneumonia'ing frustrated me! Thanks!

 

[KevinADC]

if you want folks to be able to use the form from outside your domain why do you want to see if the refering page is on your website?






- Kevin, perl coder unexceptional!