PDA

View Full Version : Encrypting Form mail with Fishform.pl



JDE
09-07-2003, 02:02 PM
I have been doing some research on encrypting form data from the time it is entered on the form through the completed recieving process using outlook or Eudora. I am coming to the conclusion it can not be done with formmail. while doing the research I ran across another script being used by some hosts out there called Fishform.pl. Reading the data on these hosts it arppears that Fishform.pl is a (I have not found another) solution that will work. I found some instructions at:
http://www.ezpublishing.com/docs/index.php/article/articleview/38/1/17/
and
http://www.nicgrabhosting.net/Part3/FishForm.htm

The only thing I have not been to locate is the script itself.

Does anyone know where this script can be found?

Johnie

ccwebb
09-07-2003, 05:29 PM
Johnie:

After reading your post I spent some time searching for fishform.pl.

Like you I found little - this tells me that either it is brand new or it did not work.

Charlie

JDE
09-08-2003, 03:53 PM
Charlie,
Itís fascinating! All that searching and it dawned on me that I had an account with
Onlineinstitution.com., they kept coming up in the search. Sure enough there it was in the CGI-BIN. I had a chance to fool around with it and believe it or not it does work! At first I thought it was a bust then I read the instructions, creating a key with the control panel was a must. It does not work without the key.

I used their simple form with no problem other than Outlook receiving a large block of random digits; it went much smoother for some reason with Eudora. I donít know much about fiddling with the keys in outlook, more reading I guess. This evening I produced a more complex form with FrontPage 2002, I just followed the instructions on using cgi scripts with a FrontPage form Iíll be ready to shoot it out sometime this week (More reading). I noticed the save results file on the server was also encrypted I could only de-crypt it by logging in as the administrator and following the instructions in the control panel (more reading).

What I donít understand is why something that works was so hard to findÖ.Oh well I have it now. I'll download it and put it somewhere accessible for anyone that is interested in testing (playing) it.

Johnie

ccwebb
09-08-2003, 04:07 PM
Johnie:

Glad you found it - I would love to be able to experiment with the program.

I just found it strange that after I searched with three of the most popular search engines that I could only find a few references to it - usually with ISPs (like where you are at) - and no references on how to get it.

Charlie

JDE
09-18-2003, 09:37 AM
Charles,
I could not get at fishform so I called the TECH support. They told me it was a modified version of Pgpmail which was a modified version of formail and told me what I needed to create the file on my own.

1. A PERL Editor (which I just happen to have) Strange since I know nothing about PERL.

2. The latest version of FormMail Version 1.92 or the nms-formail with a link on the same page
http://www.scriptarchive.com/ (fixed some major security issues)

3. The latest Version of PGPmail Version 1.31 from
http://www.venturablvd.com/pgpmail/index.html

4. The PGPmail Patch that fixes major security holes in PGPmail found at
http://www.securiteam.com/unixfocus/6D00C0U3FE.html

5. A windows RSA key generator. Free at http://web.mit.edu/network/pgp-form.html.

I called them back when I got all this and asked what the hell was I supposed to do with it. They (onlineinstute.com) told me use the formail 1.92 or nms-formail as the base document incorporate the changes that created pgpmail then apply the PGPmail security patch. Or they would do it for me for $59 an hour! They also recommended I use the latest version of Sendmail (8.12.10) http://www.sendmail.org/ which addressed a number of security holes in previous versions. This really puzzeled me because they were not running the latest version and I had no way of installing sendmail on their server. This all reminds me why why I moved to Westhost.

Well I got all this crap might just as well whip up the perl editor and see what I can do with it, I guess learning PERL should be added to number 1 on the list. Fortunatly I do know how the key generator works.

Johnie

ccwebb
09-18-2003, 12:43 PM
Johnie:

Thanks for all of the info. Whew!!

I'll take a look at what you have listed in the post. It does look daunting.

What do you use for a perl editor? Whenever I modify a perl program I just use edit pad lite. (I'm a perl copier not a perl programmer)

Thanks again...

Charlie

JDE
09-19-2003, 03:57 PM
Charlie,

Isabelle knocked the power out for about 18 hours here, not to mention stripped the leaves off most the trees in the back yard. I used to live in Carolina Beach N.C so I ought to be used to hurricanes, seems I'm not.

The editor is DZsoft Perl editor 5.4, I never use it, just keep updating it. In fact it's not loaded on my PC. If you want to give it a shot you can find it in the 411directory of sirus9.com, the registration key and other pgp stuff is also there minus the windows GPG software that has to be downloaded from MIT.

FTP to sirus9.com, user ID 441@sirus9.com, password 441

well...back to yard cleanup.
Johnie

ccwebb
09-19-2003, 08:36 PM
Johnie:

Glad you survived the hurricane with minimal damage.

Thanks for the info on the perl editor.

I downloaded formmail and pgpmail but the whole thing looked like too much for me. It would be real nice to get a copy of the program after someone did the merge/update.

But I suppose if I had that I would have fishform! And we know those are hard to come by.

Charlie

JDE
09-20-2003, 11:36 AM
Charlie,
apparently there is some intrest in this There were 31 FTP's into the 441 folder in the last 24 hours. It was not my intention to subvert DZsofts license. I had to change the password to the folder. It's odd that so many business out there that use these forms don't seem to care that the scripts are riddled with security holes. I don't think they would be in business long if the customer knew that their "secure" forms were really worthless.
I guess the lack of security on these scripts keeps the ACH services in business. Which cranks up the price of paying by check for the customer,and who is to say they are really secure.

The price came down on installing Fishform to $19 an hour with a money back gaurentee. They will do it free if I upgrade the account with SSL for an extra $6 a year. Their estimate was for 4 hours, I did not have to do the math, I added the SSL this morning. I pretty sure that all the sites that had the script (all 3 of them) are subaccounts of EZ Publishing. They all have the same horrible control panel and it takes days for them to answer a help ticket or install anything. The Tech Support told me that once I had an SSL folder I could FTP into their secure server and move the script. Sounds shakey but it only cost $6.
I'll let you know how it goes.

Johnie

ccwebb
09-27-2003, 12:36 PM
Johnie:

As per your instructions I am posting to here.

Got your info on dynamic drive - sounds like they are bad news

Hope you get your power related problems straightened out.......

Charlie