Re: Http scanning for cgi based mail-relays.

From: David Luyer (david_luyerat_private)
Date: Wed Jul 18 2001 - 22:09:09 PDT

  • Next message: aleph1at_private: "Full analysis of the .ida "Code Red" worm."

    On 18 Jul 2001 14:02:21 -0700, Chip McClure wrote:
    > I got it too, more than likely from the same individual. The sources came
    > from Road Runner in NYC. The exploit was the same, using the formmail.pl
    > script on a clients web site.
    
    We've had spammers exploiting formmail.pl on client's web sites for
    almost
    6 months now, and been gradually one by one making the formmail.pl's
    much
    more stringent.  It's a real pain, though, when a formmail.pl was
    installed
    as a central copy for users of an ISP to then go and define the criteria
    which make it useless for spamming and yet still able to do everything
    required by legitimate users...
    
    Usually @home, RR, uunet, etc users seem to do this directly.  I haven't
    seen it done from IPs outside the US yet, which means the spammers
    aren't doing it via open proxies/wingates/etc yet.
    --
    David Luyer                                     Phone:   +61 3 9674 7525
    Engineering Projects Manager   P A C I F I C    Fax:     +61 3 9699 8693
    Pacific Internet (Australia)  I N T E R N E T   Mobile:  +61 4 1111 2983
    http://www.pacific.net.au/                      NASDAQ:  PCNTF
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 07:57:52 PDT