Re: Matt Wright FormMail Attacks

From: Brannon (brannonat_private)
Date: Mon Jan 14 2002 - 12:35:45 PST

  • Next message: Patrick Benson: "Re: New DNS connection with SYN ACK"

    formmail.pl is used for most CGI spammers the kids are using on AOL. Ive
    come across varous
    programs that use formmail.pl and formmail.cgi. And they also come with a
    formmail scanner. The people who
    usally code these spammers do it for there own benefit after finding one in
    aol private room mikey you will see thats the spammers haven. And what most
    these kids dont know is that for 1 out of every 3 emails they send it spams
    the coders site aswell.  AOL was notified of the activites of the spammers
    months ago and has yet to shit them down. Lemme give you a little excerpt.
    
    OnlineHost:  *** You are in "mikey". ***
    RbbnWilliams:  a ass³·¹ by mikeyT . spammer: [n/a].
    RbbnWilliams:  a rooms: [605141] . ims: [14609488] . avg: [111].
    NiGhTmOnKeY420:  a ass³·¹ by mikeyT . spammer: [NiGhTmOnKeY420].
    NiGhTmOnKeY420:  a rooms: [1140] . ims: [26648] . avg: [23].
    SexyCDCt:  * rooms: [2822]; sent: [60818]; avg: [0].
    Sleepaway:  * cgi spammer v2.3 by mikey; spammer: [Krazie].
    Sleepaway:  * rooms: [44209]; sent: [1092981]; avg: [156].
    MIHAMILLER:  * cgi spammer v2.3 by mikey; spammer: [Krazie2].
    MIHAMILLER:  * rooms: [91566]; sent: [1817940]; avg: [59].
    RbbnWilliams:  a ass³·¹ by mikeyT . spammer: [n/a].
    RbbnWilliams:  a rooms: [605151] . ims: [14609703] . avg:
    SexyCDCt:  * rooms: [2822]; sent: [60818]; avg: [0].
    RbbnWilliams:  a ass³·¹ by mikey . reconnecting . proxies: [1].
    MIHAMILLER:  * cgi spammer v2.3 by mikey; spammer:
    
    
    Should see a huge increase in formmail scanning and proxy scanning in the
    future.
    After all some of these kids are making 5000.00 a week ...
    
    My rant.
    
    
    ----- Original Message -----
    From: "Pence, Derek A." <Derek.Penceat_private>
    To: <incidentsat_private>
    Sent: Monday, January 14, 2002 12:14 PM
    Subject: RE: Matt Wright FormMail Attacks
    
    
    > I've seen it be very successful. Without going into detail, there's a
    script out there that spammers seem to be passing
    > around that automatically formats and submits data to formmail.pl on
    remote boxes.  Sure enough... it works like a
    > charm.  If you are curious about the script they are using, just attach a
    sniffer to your inbound wire and enjoy.
    >
    > Derek
    >
    > -----Original Message-----
    > From: Turner, Keith [mailto:TurnerL@tea-emh1.army.mil]
    > Sent: Monday, January 14, 2002 10:41 AM
    > To: 'Dmitri Smirnov'; 'incidentsat_private'
    > Subject: RE: Matt Wright FormMail Attacks
    >
    >
    >
    > I tried finding some information on these incidents this morning, after
    > noticing them in my logfiles.  Very little info is out there (at least,
    > reachable by search engines).  I found two messages, one in the
    > incidents.org archive and one in the securityfocus archive.  They didn't
    > provide much information though.
    >  My guess is one of the following: 1) Someone looking to send spam through
    > someone else's webserver. (Seems like that would be very inefficient).  2)
    > Someone looking for a new exploit, maybe testing the waters for a new
    worm.
    > 3) Someone looking for a way to "forge" emails.  make it look like it came
    > from an email address of the affected domain.  The email header would go
    > right back to an address in the "forged" domain.
    >
    > Any thoughts?  Maybe someone with the formmail.pl file can tell us what
    > happens if this incident is successful.
    >
    > Keith
    >
    >
    >
    > -----Original Message-----
    > From: Dmitri Smirnov [mailto:Dmitri.Smirnovat_private]
    > Sent: Sunday, January 13, 2002 12:57 PM
    > To: 'incidentsat_private'
    > Subject: Matt Wright FormMail Attacks
    >
    >
    >
    > Morning,
    >
    > just found "Matt Wright FormMail Attacks" as number 5 in 'Top Five' on
    > aris.securityfocus.com.
    > I've sent dozens of alerts to ISPs about formmail.pl incidents but still
    > having the probes from the same subnets (addresses) for few months
    already.
    > Looks like people are not serious about this probe. Is anybody know why
    > number of formmail.pl attacks is growing? May be it is a part of SPAM
    > toolkit or some very popular tool?
    >
    > Dmitri Smirnov, SSCP
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 16:05:49 PST