A security flaw has been exploited on butternut that allows a web user to send high volumes (between 500,000 to a million per day) of 'spam' via a web form. We started receiving complaints from all over the Internet late last week about spam from butternut. Earlier this week we attempted to filter the spammer(s) with some success, but in so doing we were also filtering some legitimate mail as well. The exploit uses the PERL script 'formmail.pl', which is a very popular and widespread form-to-mail script. We have attempted to filter based on two inherent 'signatures' of the spam: a "Return-Path: " header and a "From: (anything)@aol.com" (or yahoo.com, or hotmail.com) address.

The filter was very successful, in that our outgoing spam dropped to zero, but this obviously caught several legitimate emails for our clients too. Not wanting to be an unwitting relay for spammers, but also not wanting to break any of our clients' website functionality has left me in an awkward position. I violate a policy which ever way I go. My goal is to restrict the use of formmail.pl-driven emails solely to the legitimate use of our clients, within the limits of our stated anti-spam and privacy policies.

As of now (Fri, Apr 5, 2002 3:48 PM) we have dropped the filter on the 'nobody@butternut.forest.net' header, but have kept the filters on the common 'spam return' ISPs of Hotmail, Yahoo, & AOL. This should trap the vast majority of the 'bad' mails, while allowing the majority of 'good' mails to go through. On Monday we will try and come up with a better spamtrap.

Until then you may want to edit the html of your pages to reflect the above changes and notify users of your forms to not use an address from one of these ISPs.

Best of all, you can edit the PERL script to specifically set a return or reply-to address from your domain that is valid, so that the script does not default these values to 'nobody@butternut.forest.net.

Thanks for your patience.