RE: Matt Wright FormMail Attacks

From: Christopher X. Candreva (
Date: 01/14/02

Date: Mon, 14 Jan 2002 13:20:07 -0500 (EST)
From: "Christopher X. Candreva" <>
To: "Turner, Keith" <>

On Mon, 14 Jan 2002, Turner, Keith wrote:

> My guess is one of the following: 1) Someone looking to send spam through
> someone else's webserver. (Seems like that would be very inefficient). 2)

Efficient or not, it is being done, and quite widespread. My filters pick
up a few hundred spams a day from buggy scripts.

By loading up the To: field, they can send maybe 20-30 messages per connect,
not a bad return. The source IP address isn't in the e-mail, so unless the
owner of the site checks his logs, there is no trace. On the other hand, the
server logs WILL have a good trail of where it came from.

This procmail recipie does a good job of filtering out messages from abused scripts. It looks for multiple names in the To: field, and the
usual first-line of the script body output:

:0 HB
* <100000
* ^To: [^,]+,[^,]+,[^,]+,
* ^Below is the result of your feedback form.

Chris Candreva -- -- (914) 967-7816
WestNet Internet Services of Westchester

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: