RE: Matt Wright FormMail Attacks

From: Christopher X. Candreva (chris@westnet.com)
Date: 01/14/02

• Previous message: Keith T. Morgan: "RE: New DNS connection with SYN ACK"
• In reply to: Turner, Keith: "RE: Matt Wright FormMail Attacks"
• Next in thread: Jose Nazario: "RE: Matt Wright FormMail Attacks"
• Next in thread: Mike Lewinski: "Re: Matt Wright FormMail Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 14 Jan 2002 13:20:07 -0500 (EST)
From: "Christopher X. Candreva" <chris@westnet.com>
To: "Turner, Keith" <TurnerL@tea-emh1.army.mil>

On Mon, 14 Jan 2002, Turner, Keith wrote:

> My guess is one of the following: 1) Someone looking to send spam through
> someone else's webserver. (Seems like that would be very inefficient). 2)

Efficient or not, it is being done, and quite widespread. My filters pick
up a few hundred spams a day from buggy formmail.pl scripts.

By loading up the To: field, they can send maybe 20-30 messages per connect,
not a bad return. The source IP address isn't in the e-mail, so unless the
owner of the site checks his logs, there is no trace. On the other hand, the
server logs WILL have a good trail of where it came from.

This procmail recipie does a good job of filtering out messages from abused
formmail.pl scripts. It looks for multiple names in the To: field, and the
usual first-line of the script body output:

:0 HB
* <100000
* ^To: [^,]+,[^,]+,[^,]+,
* ^Below is the result of your feedback form.
/your/spam/trap

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Keith T. Morgan: "RE: New DNS connection with SYN ACK"
• In reply to: Turner, Keith: "RE: Matt Wright FormMail Attacks"
• Next in thread: Jose Nazario: "RE: Matt Wright FormMail Attacks"
• Next in thread: Mike Lewinski: "Re: Matt Wright FormMail Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: another POST from perl question ... *both* a query string appended to the URL, ... or two specific pieces of information appear in their server logs, ... > support doesn't support scripts, ... You should also ask tech support if they don't *support* scripts, ... (comp.lang.perl.misc) Re: another POST from perl question ... *both* a query string appended to the URL, ... or two specific pieces of information appear in their server logs, ... > support doesn't support scripts, ... You should also ask tech support if they don't *support* scripts, ... (perl.beginners) Re: How to determine if STDIN has piped data? ... You're looking to put together scripts that act like typical ... >> for filters. ... This makes it very simple to use the command in a pipeline ... > By the way, what's a socket? ... (perl.beginners) Re: Replication causes odd corruption. ... Make the scripts read only. ... Don Wilwol ... > But at random times, and to random individuals, a problem occurs where a ... > checking server logs, and can find not 1 thing that links those affected. ... (microsoft.public.windows.server.dns) RE: Anti-Spam scripts ... Looks like you can use the same filters that you would use on a ... I'm getting the results for SCL values 0-9 but I'm also ... filter unable to process message. ... scripts on a 2007 transport server? ... (microsoft.public.exchange.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-01