RE: Matt Wright FormMail Attacks

From: Christopher X. Candreva (chris@westnet.com)
Date: 01/14/02


Date: Mon, 14 Jan 2002 13:20:07 -0500 (EST)
From: "Christopher X. Candreva" <chris@westnet.com>
To: "Turner, Keith" <TurnerL@tea-emh1.army.mil>

On Mon, 14 Jan 2002, Turner, Keith wrote:

> My guess is one of the following: 1) Someone looking to send spam through
> someone else's webserver. (Seems like that would be very inefficient). 2)

Efficient or not, it is being done, and quite widespread. My filters pick
up a few hundred spams a day from buggy formmail.pl scripts.

By loading up the To: field, they can send maybe 20-30 messages per connect,
not a bad return. The source IP address isn't in the e-mail, so unless the
owner of the site checks his logs, there is no trace. On the other hand, the
server logs WILL have a good trail of where it came from.

This procmail recipie does a good job of filtering out messages from abused
formmail.pl scripts. It looks for multiple names in the To: field, and the
usual first-line of the script body output:

:0 HB
* <100000
* ^To: [^,]+,[^,]+,[^,]+,
* ^Below is the result of your feedback form.
/your/spam/trap

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com