RE: Matt Wright FormMail Attacks

From: Christopher X. Candreva (chrisat_private)
Date: Mon Jan 14 2002 - 10:20:07 PST

  • Next message: Jason Dixon: "RE: New DNS connection with SYN ACK"

    On Mon, 14 Jan 2002, Turner, Keith wrote:
    
    >  My guess is one of the following: 1) Someone looking to send spam through
    > someone else's webserver. (Seems like that would be very inefficient).  2)
    
    Efficient  or not, it is being done, and quite widespread.  My filters pick
    up a few hundred spams a day from buggy formmail.pl scripts.
    
    By loading up the To: field, they can send maybe 20-30 messages per connect,
    not a bad return.  The source IP address isn't in the e-mail, so unless the
    owner of the site checks his logs, there is no trace. On the other hand, the
    server logs WILL have a good trail of where it came from.
    
    
    This procmail recipie does a good job of filtering out messages from abused
    formmail.pl scripts. It looks for multiple names in the To: field, and the
    usual first-line of the script body output:
    
    :0 HB
    * <100000
    * ^To: [^,]+,[^,]+,[^,]+,
    * ^Below is the result of your feedback form.
    /your/spam/trap
    
    
    ==========================================================
    Chris Candreva  -- chrisat_private -- (914) 967-7816
    WestNet Internet Services of Westchester
    http://www.westnet.com/
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 11:34:40 PST