[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Formmail.pl Program

Subject: Re: [cobalt-users] Formmail.pl Program
From: "Derrick Hall" <admin@xxxxxxxxxxxxxxxxxxx>
Date: Fri Mar 16 03:28:19 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

For those who are intrested in getting a premade script that does this go 
to http://www.webhostingtalk.com/showthread.php?threadid=6976

>>There is a script going around that uses Matt Wrights formmail.pl
>>program to send SPAM. The script forges the valid referer variable and
>>then sends several SPAM emails per second. I just got hit by thousands
>>of bounced messages.:(
>>
>>An easy fix is to hard code the recipient variable at the beginning of
>>the program. Then change one or two subroutines to process your new
>>variable instead of the info contained in the HTML form. Email me if
>>you have any questions.
> 
> 
> More information:
> 
> the script appears as a User-Agent of 'Microsoft URL Control' - which
> I'm ASSUMING is some kind of Active-X thing - I'm not up on anything
> MicroShaft.
> 
> I don't think you're right in the forging of the referer - it uses a
> call to formmail.pl which has an ENV_REPORT call in it - and this seems
> to totally IGNORE the entries in @referers.
> 
> ROUGH Details of the exploit can be found at:
> 
> 
http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
information.html
> 
> The people using it have altered the exploit to send a complete email,
> with a subject and contents all nicely packaged, coming from your raq
> server.
> 
> We got hit by this sending email spam advertising a homosexual porn
> site.
> 
> We traced the IPs to UUNet and PSI.NET and reported them to their abuse
> teams over the weekend, but it seems that apart from the
> auto-responder, we've got nothing back - if anyone has a phone number
> of someone of any importance in psi.net, I'll like it please!
> 
> You should look in the access file (/home/log/httpd/access) for calls
> to formmail.pl, split out the IP and sort them, then uniq -c them to a
> file - save the access file now for possible claims against the
> originating network and contact their abuse team immediately.
> 
> hth
> 
> Greg
> 
> 
>>-Mike
>>
>>
>>
>>_______________________________________________
>>cobalt-users mailing list
>>cobalt-users@xxxxxxxxxxxxxxx
>>To Subscribe or Unsubscribe, please go to:
>>http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> -- 
> http://www.webyourbusiness.com/
> Providers of E-Commerce Software &
> Web Design Consultancy and Services.
> PH: (970)266-0195 FAX: (970)266-0158
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- RE: [cobalt-users] Formmail.pl Program
  - From: Dan Kriwitsky

References:
- Re: [cobalt-users] Formmail.pl Program
  - From: Greg Hewitt-Long

Prev by Date: [cobalt-users] - HELP Is a linux problem ? is a apache problem ? - HELP
Next by Date: Re: [cobalt-users] Universal CGI-BIN Problem
Previous by thread: Re: [cobalt-users] Formmail.pl Program
Next by thread: RE: [cobalt-users] Formmail.pl Program

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index