RE: Matt Wright FormMail Attacks

From: Christopher X. Candreva (chris@westnet.com)
Date: 01/14/02


Date: Mon, 14 Jan 2002 13:20:07 -0500 (EST)
From: "Christopher X. Candreva" <chris@westnet.com>
To: "Turner, Keith" <TurnerL@tea-emh1.army.mil>

On Mon, 14 Jan 2002, Turner, Keith wrote:

> My guess is one of the following: 1) Someone looking to send spam through
> someone else's webserver. (Seems like that would be very inefficient). 2)

Efficient or not, it is being done, and quite widespread. My filters pick
up a few hundred spams a day from buggy formmail.pl scripts.

By loading up the To: field, they can send maybe 20-30 messages per connect,
not a bad return. The source IP address isn't in the e-mail, so unless the
owner of the site checks his logs, there is no trace. On the other hand, the
server logs WILL have a good trail of where it came from.

This procmail recipie does a good job of filtering out messages from abused
formmail.pl scripts. It looks for multiple names in the To: field, and the
usual first-line of the script body output:

:0 HB
* <100000
* ^To: [^,]+,[^,]+,[^,]+,
* ^Below is the result of your feedback form.
/your/spam/trap

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: another POST from perl question
    ... *both* a query string appended to the URL, ... or two specific pieces of information appear in their server logs, ... > support doesn't support scripts, ... You should also ask tech support if they don't *support* scripts, ...
    (comp.lang.perl.misc)
  • Re: another POST from perl question
    ... *both* a query string appended to the URL, ... or two specific pieces of information appear in their server logs, ... > support doesn't support scripts, ... You should also ask tech support if they don't *support* scripts, ...
    (perl.beginners)
  • Re: How to determine if STDIN has piped data?
    ... You're looking to put together scripts that act like typical ... >> for filters. ... This makes it very simple to use the command in a pipeline ... > By the way, what's a socket? ...
    (perl.beginners)
  • Re: Replication causes odd corruption.
    ... Make the scripts read only. ... Don Wilwol ... > But at random times, and to random individuals, a problem occurs where a ... > checking server logs, and can find not 1 thing that links those affected. ...
    (microsoft.public.windows.server.dns)
  • RE: Anti-Spam scripts
    ... Looks like you can use the same filters that you would use on a ... I'm getting the results for SCL values 0-9 but I'm also ... filter unable to process message. ... scripts on a 2007 transport server? ...
    (microsoft.public.exchange.admin)