SPAMMERS DELIGHT: as feeble as feeble can be

From: http-equivat_private
Date: Mon Dec 10 2001 - 15:40:25 PST

Next message: Ivan Hernandez Puga: "Microsoft IIS/5 bogus Content-length bug Memory attack"

Previous message: Jason Gomes: "CSVForm (Perl CGI) Remote Execution Vulnerability"
Next in thread: Jay D. Dyson: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Reply: Jay D. Dyson: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Reply: Gert-Jan Hagenaars: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Monday, December 10, 2001

Forget about open relays. There is an extremely simple mailto form
application called mailto.exe available on the internet. Simply create your
html form, upload the mailto.exe into your cgi bin and fire away.

The problem is, as a courtesy, many ISP's or hosting companies or providers
of other web site 'things' give their clients, in painful detail, 
instructions on how to install and use this mailto.exe application.

The BIG problem is that these instructions include the provider's settings
including their smtp server name, and full path name to their directory
containing mailto.exe and it actually works !

For example:

<FORM ACTION="http://WWW.MALWARE.COM/CGI-BIN/MAILTO.EXE" METHOD="POST"> 
<INPUT TYPE="hidden" NAME="sendto" VALUE=billgat_private> 
<INPUT TYPE="hidden" NAME="email" VALUE="hotsuezzzat_private"> 
<INPUT TYPE="hidden" NAME="server" VALUE="smtp.malware.com"> 
<INPUT TYPE="hidden" NAME="subject" VALUE="SPAM MONGER"> 
<INPUT TYPE="hidden" NAME="resulturl" VALUE=http://ww.malware.com> 

Name: <INPUT NAME="uname" SIZE=30> 
Position: <INPUT NAME="title" SIZE=30> 
Company: <INPUT NAME="company" SIZE=30> 
E-Mail: <INPUT NAME="email" SIZE=30> 
Comments:<TEXTAREA name="comments" ROWS=10 COLS=50 SIZE="10"></TEXTAREA>

Press <INPUT TYPE="submit" VALUE="Submit">
Idiot <INPUT TYPE="HALT !" VALUE="The Above Is A Example Only - The Data Is
Fake">

This can be inputted from any desktop html editor / viewer and emails can be
fired away. Because it is located on the provider's site (within their
domain), the smtp servers work and all IP addresses are theirs. In other
words, unlike a relay which can reveal the originating IP address, this
provides for none of that.

Trivial searching with our favorite engine, reveals 2 immediate, fully
functional provider's instruction including all their details, which work
exactly as described. No doubt deep searching will yield many many more.

Notes: there does not seem to be a single solution, other than to release
this and urge any and all providers, hosting services, other  to be aware
and remove or certainly not give your working server details.


---
http://www.malware.com





______________________________________________________________________________
Send a friend your Buddy Card and stay in contact always with Excite Messenger
http://messenger.excite.com

Next message: Ivan Hernandez Puga: "Microsoft IIS/5 bogus Content-length bug Memory attack"
Previous message: Jason Gomes: "CSVForm (Perl CGI) Remote Execution Vulnerability"
Next in thread: Jay D. Dyson: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Reply: Jay D. Dyson: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Reply: Gert-Jan Hagenaars: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 14:38:20 PST