On Mon, 14 Jan 2002, Turner, Keith wrote: > My guess is one of the following: 1) Someone looking to send spam through > someone else's webserver. (Seems like that would be very inefficient). 2) Efficient or not, it is being done, and quite widespread. My filters pick up a few hundred spams a day from buggy formmail.pl scripts. By loading up the To: field, they can send maybe 20-30 messages per connect, not a bad return. The source IP address isn't in the e-mail, so unless the owner of the site checks his logs, there is no trace. On the other hand, the server logs WILL have a good trail of where it came from. This procmail recipie does a good job of filtering out messages from abused formmail.pl scripts. It looks for multiple names in the To: field, and the usual first-line of the script body output: :0 HB * <100000 * ^To: [^,]+,[^,]+,[^,]+, * ^Below is the result of your feedback form. /your/spam/trap ========================================================== Chris Candreva -- chrisat_private -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 11:34:40 PST