RE: Help with hijacked sendmail

From: Moeller, Arno (
Date: 09/25/01

Message-ID: <>
From: "Moeller, Arno" <>
To: "''" <>
Subject: RE: Help with hijacked sendmail
Date: Tue, 25 Sep 2001 10:09:03 +0200


> I noticed some odd behavior going on in my maillog file. I've
> checked my
> sendmail configuration and have no idea how to get this
> behavior to stop. I
> don't see anything out of the ordinary in any other log. For
> now, sendmail
> is stopped. I don't even know what to try or where to examine
> next. Any
> suggestions are appreciated. This is what I see in the log
> and there are a
> lot of them. (Email addresses have been altered to protect
> the innocent)

I've seen this before... My guess is that this machine is also
running a web-server, since the mails are sent by the user
nobody@localhost, and this webserver is also hosting the If someone knows the exact location of the
formmail-script, any mail can be sent do anyone by using a well-
crafted URL. I'm not sure wether to go into more detail here,
since there maybe some spammers who do not know how to accomplish

If I'm right, my advise is to go though your webserver-logs and
look for the corresponding formmail-entries. If you find them,
not your sendmail has been "hijacked", but your formmail-scripts.

I've patched formmail in the following way to prevent this from
happening and to log the spamming attempts:

    # Determine the form's REQUEST_METHOD (GET or POST) and split the form
    # fields up into their name-value pairs. If the REQUEST_METHOD was
    # not GET or POST, send an error.
    if ($ENV{'REQUEST_METHOD'} eq 'GET') {
        # Split the name-value pairs
        open (FILE,">>/tmp/spamlog");
        print FILE "Date: ".`date`;
        print FILE "At Server: ".$ENV{'SERVER_NAME'}."\n";
        print FILE "From IP: ".$ENV{'REMOTE_ADDR'}."\n";
        print FILE "QUERY-STRING: ".$ENV{'QUERY_STRING'}."\n\n";
        print "Content-type: text/html\n\n";
        print "<html>\n <head>\n";
        print "</head><body>";
        print "Method GET is not allowed! <br>";
        print "Your IP is logged due to possible SPAM! <br>";
        print "</body></html>";

Please note that after patching formmail this way any webset using
formmail with the GET-Method will not work anymore.

Best regards,

Arno Moeller