Re: [cobalt-users] Formmail spamming??

[David Lucas <david@xxxxxxxxxxxxxxxx>]

At 12:58 PM 5/30/2002, you wrote:
> Hi All,
>
> I have a client who has the latest version of formmail running (1.9)
>
> Recently my logs filled up with stuff like this:
>
> May 30 08:53:51 admin sendmail[1253]: g4UCrhd01251: 
> to=<alf428@xxxxxxxxxxx>www.pica.ws, ctladdr=jfalk (450/100), 
> delay=00:00:08, xdelay=00:00:04, mailer=esmtp, pri=871938, 
> relay=mailin-02.mx.aol.com. [64.12.137.89], dsn=5.1.1, stat=User unknown
> May 30 08:53:51 admin sendmail[1253]: g4UCrhd01251: 
> to=<alf429@xxxxxxxxxxx>www.pica.ws, ctladdr=jfalk (450/100), 
> delay=00:00:08, xdelay=00:00:04, mailer=esmtp, pri=871938, 
> relay=mailin-02.mx.aol.com. [64.12.137.89], dsn=5.1.1, stat=User unknown
> May 30 08:53:51 admin sendmail[1253]: g4UCrhd01251: 
> to=<alf42@xxxxxxxxxxx>www.pica.ws, ctladdr=jfalk (450/100), 
> delay=00:00:08, xdelay=00:00:04, mailer=esmtp, pri=871938, 
> relay=mailin-02.mx.aol.com. [64.12.137.89], dsn=5.1.1, stat=User unknown
> May 30 08:53:54 admin sendmail[1253]: g4UCrhd01251: 
> to=<formmailtesting@xxxxxxxx> www.pica.ws, ctladdr=jfalk (450/100), 
> delay=00:00:11, xdelay=00:00:03, mailer=esmtp, pri=871938, 
> relay=tom.inbox.lv. [193.108.185.19], dsn=5.2.1, stat=User unknown
>
> This appears to me to be someone using formmail to send spam (especially 
> that last message to formmailtesting@xxxxxxxx -- looks like the spammer 
> verifying that the formmail script works).
> Yes/No?
> How are they getting away with this?  I've got the @referers set to 
> include only the client's domain and @recipients = @referers.
>
> Needless to say I've rm'd the script until further notice.


Is it still happening with the script removed?
If it is, then make sure you have pop before smtp relaying checked for email.
It could be someone infected with Klez.