If the recipient's e-mail address is in a hidden field, doesn't this essentially open up a way for spammers to send e-mail through your server? What's stopping them from setting up a bot to hit the "submit" button and sending out hundreds and thousands of e-mails through your server?

Comments

moshe weitzman’s picture

moshe weitzman commented
Title: Major security hole? » possibibily of spam
Category: support » feature

there are some advaned techniques for hiding email adddresses. the most common by far is not to use any. changing to feature request..

broersma’s picture

broersma commented

How about bots filling in the edit[to] field themselves? I believe that's what Steve meant.

Of course this is only a problem for form_mail-setups that allow specifying to To:-address as a hidden field in the form. But still, why give people the possibility to make their server into an open mail proxy?

gjost’s picture

gjost commented
Title: possibibily of spam » when will this be addressed?
Version: 4.5.x-1.x-dev » 4.6.x-1.x-dev

One of my Drupal sites was pumping out spam until i killed this module. "Allow custom recipient" was unchecked, so theoretically they should not have been able to set the email recipient, but somehow they did.

Unfortunately I need the basic functions of this module, so I've modified the code so that the email recipient can only be set to variable_get("form_mail_email", "").

We'll see if this works...

codepoet’s picture

codepoet commented

We were just hit by the same spammer. This module is broken and turns any site into an open relay.

moshe weitzman’s picture

moshe weitzman commented

i'd be pleased to hand over maintainership of this module to someone. i'm no longer interested in it.

dan_aka_jack’s picture

dan_aka_jack commented

Hi there,

I've had a shot at re-writing the module for Drupal 4.7 :

http://drupal.org/node/53543