Watch out for relay attempts on your account via formmail.pl.

I just happened upon the following entry in my server log a few minutes ago:

63.199.200.129 - - [21/Aug/2001:00:07:23 -0400]
"GET/cgi-bin/formmail.pl?email=thinkspot@thinkspot.com
&recipient=lilkiddoe69@aol.com
&subject=www.thinkspot.net/cgi-bin/formmail.pl
&=www.thinkspot.net/cgi-bin/formmail.pl HTTP/1.0"
404 1938 "-" "SSM Agent 1.0"

(I've folded the single line over several lines, since it is so long.)

I've already reported this miscreant to abuse@pacbell.net and abuse@aol.com for abuse on my server.

I don't use formmail.pl on my site anyhow, so they couldn't get any joy from me. I use my own script (http://www.thinkspot.net/sheila/computers/software/gypsymail.html).

Anyhow, watch out for this type of stuff!

Please View:
http://www.aota.net/forums/showthread.php?s=&postid=51141#post51141

And to all who are using formmail...you really should..

a) move it to a directory within your cgi-bin e.g. cgi-bin/formmail.pl is easy to find but cgi-bin/hidden/someplace/else/formmail.pl makes it not as much of a target....

b) FutureQuest may be banning the "unfixed" script from the servers so you really should upgrade and move the formmail.pl anyway to avoid the hassle later.

Deb
- Always Something...

Hmm. Relaying is the topic of the quarter-hour.

http://www.aota.net/forums/showthread.php?s=&threadid=9006

electro-nik:

If you reference that post, I will add one tidbit...

The protection measures will be useless against locally generated mail... To add local controls would only cause frustration and confusion for many site owners not knowing they need to reprogram their scripts to jump through flaming hoops...

If we make it too difficult, they'll leave us for someone not as restrictive...

Our focus is relayed mail, however you need to ensure that the scripts you use cannot be exploited and turned into a Spam engine... The hardest part is tracking down the script in realtime as it's being exploited... Very soon, I will be cracking down hard on exploited scripts and deactivate them on sight...

As mentioned in my other post, that is all I can say at this time...

--
Terra
--It's all a delicate balance of flexibility versus restrictions--
FutureQuest

I will be cracking down hard on exploited scripts and deactivate them on sight...
If I could make a courtesy request, would it be possible to either make a list of such script deactivations as you go or, even better, list them in advance (pre-deactivation) as you determine which ones are risks? It could be a read-only forum thread to keep site owners informed. I just updated my FormMail scripts because of this thread(s), but it wouldn't have occurred to me to check for an update to a ~5 year old script otherwise...

If it turned out I was running an exploitable script (I'm not aware of any), then I would certainly do something about it right away, saving you the time and trouble and saving me from having a broken script on the site.

Dan

Originally posted by Terra:

The hardest part is tracking down the script in realtime as it's being exploited... Very soon, I will be cracking down hard on exploited scripts and deactivate them on sight...

Has this been much of a problem? Or is it just starting to become one? Or is it relatively rare?

the latest copy of formmail has some variables to restrict its useage to the domain it resides on. I set up a copy last week and found it very simple to put into play. I am sure the creative dark side could find a way around these measures, but like a good lock, it keeps most folks honest.

Mont

move it to a directory within your cgi-bin e.g. cgi-bin/formmail.pl is easy to find but cgi-bin/hidden/someplace/else/formmail.pl makes it not as much of a target....

And also it doesnt really have to be called formmail.pl. You can call it anything as long as it gets the job done, right?!

It could be bob.pl and still work. . . :)

David

Hey!

Why's it always got to be Bob why not Maurice .pl or something? :stardanc:

Have a Good One,
Bob

- Couldn't resist, I just couldn't. The Devil made me do it :P -

Originally posted by Bob:
Hey!

Why's it always got to be Bob why not Maurice .pl or something? :stardanc:

I often use bob@mydomain.com as a testing e-mail address. It's just such a nice, three-letter name! ;)

Originally posted by sheila:

I often use bob@mydomain.com as a testing e-mail address. It's just such a nice, three-letter name! ;)

That's just the problem Sheila.

My email addresses are all Bob@ so I have to use the old, tried and tested, "Test@" address :p

Enjoy the day folks,
Bob

- You all know that Bob is just one "o" away from being a Bo_b! Don't you? :P -

Ever seen Titan AE Bob?

Originally posted by Tibbits:
Ever seen Titan AE Bob?

Uhhh, Nope, never even heard of it :(

-Bob

-Don't get Deb started on my Movie Viewing habits now (rather the lack of them) :P -

:P Erk sorry...BOB!!!! I just couldnt resist on that one either. %)

Yea Titan AE. Saw it recently. They got a Bob thing going on there. :) And dont forget about the Church of Bob.
http://www.subgenius.com/ or something. . .


David
8}

Not to forget Almighty Bob from Douglas Adams' Mostly Harmless

Just to followup:

On the new version of formmail, the error it generated for me today, when I tried to "spam" it, was the one that said 'email recipent field incorrect'. The only things I have changed in Matt's script are the usual variables, and so far, it catches me every time I try to test it.

Mont

...insanity, doing the same things over and over and expecting different outcomes...