• Getting Started with FormMail
• Optional FormMail Fields
• FormMail Abuse

1. Download a copy of our modified version of FormMail. Our version resolves security holes in the script in order to prevent abuse. Although the FormMail site has a new version now too, please install our version.
   
   Click here to download.
   
   
2. Unzip FormMail. You will see a single file called formmail.pl

1. Open formmail.pl with a text editor.
   
   Note:
   Windows users, do not use Word or WordPad. We recommend Notepad.
   
   
2. Locate the following line in the formmail.pl file: @recipient_addresses = ();
3. Enter the email address(es) that you want the script to send the form results to. Your forms can only be configured to email the results to addresses that you have listed here. If you have more than one form that uses the same formmail.pl script, enter the recipient email addresses of all of the forms.
   
   Example:
   @recipient_addresses = ('feedback@yourdomain.com','info@yourdomain.com');
   

1. Upload formmail.pl to your cgi-bin.
2. Change the permissions on the file to chmod 755. Your FTP or SSH client will have instructions describing how to change the permissions of a file.

1. Create a form with any web page creation software.
   
   Example:
   <form name="myform" method="POST" action="cgi-bin/formmail.pl">
   <input type="text" name="email">
   <input type="submit" name="Submit" value="Submit">
   </form>
   
   
2. For the form action, enter the path to the formmail script. (cgi-bin/formmail.pl)
3. Within the form tags add the following hidden field.
   
   <input type=hidden name="recipient" value="email_address">
   
   email_address - Enter the email address where you want the results of the form to be sent. This email address must be listed in your "@recipient_addresses" line in the actual formmail.pl script.
   
   
4. Review the list of optional form fields to enhance your form.
   
   Note:
   For further assistance using FormMail, click here
   

The subject field will allow you to specify the subject that you wish to appear in the email that is sent to you after the form has been filled out. If you do not have this option turned on, the script will automatically enter "WWW Form Submission" as the subject.

Code:
If you wish to choose what the subject is:
<input type=hidden name="subject" value="email_subject">

To allow the user to choose a subject:
<input type=text name="subject">

Field: email

This form field will allow the user to specify their return email address. This will be put into the "From:" field of the email.

Code:
<Input type=text name="email">

The realname form field will allow the user to input their real name. This field is useful for identification purposes and will also be put into the "From:" line of the email.

Code:
<Input type=text name="realname">

This field allows you to choose the order in which you wish your variables to appear in the email. You can choose to have the field sorted alphabetically or specify a set order.

By leaving this field out, the order will simply default to the order in which the browser sends the information to the script (which isn't always the exact same order they appeared in the form).

When sorting by a set order of fields, you should include the phrase "order:" as the first part of your value for the sort field, and then follow that with the field names you want to be listed in the email message, separated by commas.

Code:
To sort alphabetically:
<input type=hidden name="sort" value="alphabetic">

To sort by a set field order:
<input type=hidden name="sort" value="order:field1,field2,etc...">

If you wish to redirect the user to a different URL, you can use this hidden variable to send them to an existing HTML page.

Code:
To choose the URL where the user will end up:
input type=hidden name="redirect" value="redirect_url">

To allow the user to specify the URL where he wishes to travel:
<input type=text name="redirect">

You can now require that certain fields in the form are filled in before the user can successfully submit the form. If the required fields are not filled in, the user will be notified of what they need to fill in, and they will be provided with a link back to the form.

Code:
<input type=hidden name="required" value="required_field1,required_field2">

This field allows you to have Environment variables included in the email. This is useful if you wish to know what browser they were using, what domain they were coming from, or any other attribute which is associated with environment variables. The following is a short list of valid environment variables that might be useful:

REMOTE_HOST - Provides the name of the remote host making a request.
REMOTE_ADDR - Provides the IP address of the remote host making the request.
HTTP_USER_AGENT - Provides the browser the client is using to send the request. General format: software/version library/version.

Code:
<input type=hidden name="env_report" value="environment_variable1,environment_variable2">

This form field allows you to specify the title and header that will appear on the confirmation page if you do not specify a redirect URL.

Code:
<input type=hidden name="title" value="title">

This is the title of the link on the confirmation page that will take the user to the page you specify with the field "return_link_url". Will not work with the "redirect" field.

Code:
<input type=hidden name="return_link_title" value="link_title">

This is the URL of the link on the confirmation page whose title you specified with the "return_link_title" field. Will not work with the "redirect" field.

Code:
<Input type=hidden name="return_link_url" value="page_url">

This form field allows you to specify a background image for the confirmation page. Will not work with the "redirect" field.

Code:
<Input type=hidden name="background" value="http://yourdomain.com/image.gif">

This form field allows you to specify a background color for the confirmation page. This field will not work with the "redirect" or "background" field.

Code:
<input type=hidden name="bgcolor" value="hexidecimal_color">

hexidecimal_color - For a list of hexidecimal colors, click here.

This field will specify the color of the text on the confirmation page. Will not work with the "redirect" field.

Code:
<input type=hidden name="text_color" value="hexidecimal_color">

hexidecimal_color - For a list of hexidecimal colors, click here.

This field will specify the color of the links on the confirmation page. Will not work with the "redirect" field.

Code:
<input type=hidden name="link_color" value="hexidecimal_color">

hexidecimal_color - For a list of hexidecimal colors, click here.

This field will specify the color of the visited links on the confirmation page. Will not work with the "redirect" field.

Code:
<input type=hidden name="vlink_color" value="hexidecimal_color">

hexidecimal_color - For a list of hexidecimal colors, click here.

This field will specify the color of the active links on the confirmation page. Will not work with the "redirect" field.

Code:
<input type=hidden name="alink_color" value="hexidecimal_color">

hexidecimal_color - For a list of hexidecimal colors, click here

If someone attempts to send spam through FormMail, you may receive a notification email either directly or as an attachment. The FormMail abuse email looks like this:

Subject:
Possible FormMail Script Abuse Detected

Message:
A possible case of attempted FormMail script abuse has been detected. The attempt originated from [XXX.XX.XX.XX]. Additional details follow...

URL: http://www.yourdomain.com:80/cgi-bin/formmail.pl
Recipient Parameter: badspammer@spammer_domain.com

If you receive a variation on this email, you can report the spammer to their ISP.

If you receive an email saying that there was a possible attempt at FormMail abuse, you can report the incident to the sender's ISP.

Finding the Sender's ISP

1. Open the email or attachment with the subject "Possible FormMail Script Abuse Detected".
2. Locate the IP address of the individual who attempted to use your FormMail. You can find this information in the following sentence:
   The attempt originated from [XXX.XX.XX.XX]
   You will see numbers instead of X's. This is the IP address.
3. Go to the ARIN website.
4. Cut and paste the IP address into the "Search For:" text box and click "Search". The information displayed is the ISP that owns the IP address of the sender.

Many ISP's allow you to report abuse by sending an email to abuse@theirdomain.com. You may want to visit the ISP's website for alternative methods. Once you have learned how the ISP wants spam to be reported, send an email which basically says the following:

------

I was told to contact you regarding one of your customers who attempted to exploit my FormMail script to send spam through my server. My web host has a script which automatically sends an email if someone other than myself tries to send email through the FormMail script. I have attached a copy of this email.

Please look into this further. If you find that they are sending spam, remove them from your servers or take other appropriate action. Thank you for your consideration.

------

Attach a copy of the FormMail abuse email. The ISP will handle it from there. If the offender is one of our customers, you can send the email to abuse@datanerve.com.