Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Matt Wright FormMail Attacks

From: "Christopher X. Candreva" <chris () westnet com>
Date: Mon, 14 Jan 2002 13:20:07 -0500 (EST)
On Mon, 14 Jan 2002, Turner, Keith wrote:


 My guess is one of the following: 1) Someone looking to send spam through
someone else's webserver. (Seems like that would be very inefficient).  2)


Efficient  or not, it is being done, and quite widespread.  My filters pick
up a few hundred spams a day from buggy formmail.pl scripts.

By loading up the To: field, they can send maybe 20-30 messages per connect,
not a bad return.  The source IP address isn't in the e-mail, so unless the
owner of the site checks his logs, there is no trace. On the other hand, the
server logs WILL have a good trail of where it came from.


This procmail recipie does a good job of filtering out messages from abused
formmail.pl scripts. It looks for multiple names in the To: field, and the
usual first-line of the script body output:

:0 HB
* <100000
* ^To: [^,]+,[^,]+,[^,]+,
* ^Below is the result of your feedback form.
/your/spam/trap


==========================================================
Chris Candreva  -- chris () westnet com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: