Relay attempts via Form Mail

[sheila]

Watch out for relay attempts on your account via formmail.pl.

I just happened upon the following entry in my server log a few minutes ago:

63.199.200.129 - - [21/Aug/2001:00:07:23 -0400]
"GET/cgi-bin/formmail.pl?email=thinkspot@thinkspot.com
&recipient=lilkiddoe69@aol.com
&subject=www.thinkspot.net/cgi-bin/formmail.pl
&=www.thinkspot.net/cgi-bin/formmail.pl HTTP/1.0"
404 1938 "-" "SSM Agent 1.0"

(I've folded the single line over several lines, since it is so long.)

I've already reported this miscreant to abuse@pacbell.net and abuse@aol.com for abuse on my server.

I don't use formmail.pl on my site anyhow, so they couldn't get any joy from me. I use my own script.

Anyhow, watch out for this type of stuff!

[Deb]

Please View:
http://www.aota.net/forums/showthrea...1141#post51141

And to all who are using formmail...you really should..

a) move it to a directory within your cgi-bin e.g. cgi-bin/formmail.pl is easy to find but cgi-bin/hidden/someplace/else/formmail.pl makes it not as much of a target....

b) FutureQuest may be banning the "unfixed" script from the servers so you really should upgrade and move the formmail.pl anyway to avoid the hassle later.

Deb
- Always Something...

[electro-nik]

Hmm. Relaying is the topic of the quarter-hour.

http://www.aota.net/forums/showthrea...&threadid=9006

[Terra]

electro-nik:

If you reference that post, I will add one tidbit...

The protection measures will be useless against locally generated mail... To add local controls would only cause frustration and confusion for many site owners not knowing they need to reprogram their scripts to jump through flaming hoops...

If we make it too difficult, they'll leave us for someone not as restrictive...

Our focus is relayed mail, however you need to ensure that the scripts you use cannot be exploited and turned into a Spam engine... The hardest part is tracking down the script in realtime as it's being exploited... Very soon, I will be cracking down hard on exploited scripts and deactivate them on sight...

As mentioned in my other post, that is all I can say at this time...

--
Terra
--It's all a delicate balance of flexibility versus restrictions--
FutureQuest

[dank]

Quote:

I will be cracking down hard on exploited scripts and deactivate them on sight...

If I could make a courtesy request, would it be possible to either make a list of such script deactivations as you go or, even better, list them in advance (pre-deactivation) as you determine which ones are risks? It could be a read-only forum thread to keep site owners informed. I just updated my FormMail scripts because of this thread(s), but it wouldn't have occurred to me to check for an update to a ~5 year old script otherwise...

If it turned out I was running an exploitable script (I'm not aware of any), then I would certainly do something about it right away, saving you the time and trouble and saving me from having a broken script on the site.

Dan

[sheila]

Quote:

Originally posted by Terra:

The hardest part is tracking down the script in realtime as it's being exploited... Very soon, I will be cracking down hard on exploited scripts and deactivate them on sight...

Has this been much of a problem? Or is it just starting to become one? Or is it relatively rare?

[Monty]

the latest copy of formmail has some variables to restrict its useage to the domain it resides on. I set up a copy last week and found it very simple to put into play. I am sure the creative dark side could find a way around these measures, but like a good lock, it keeps most folks honest.

Mont

[zmax]

Quote:

move it to a directory within your cgi-bin e.g. cgi-bin/formmail.pl is easy to find but cgi-bin/hidden/someplace/else/formmail.pl makes it not as much of a target....

And also it doesnt really have to be called formmail.pl. You can call it anything as long as it gets the job done, right?!

It could be bob.pl and still work. . .

David

[Bob]

Hey!

Why's it always got to be Bob why not Maurice .pl or something?

Have a Good One,
Bob

- Couldn't resist, I just couldn't. The Devil made me do it -

[sheila]

Quote:

Originally posted by Bob:
Hey!

Why's it always got to be Bob why not Maurice .pl or something?

I often use bob@mydomain.com as a testing e-mail address. It's just such a nice, three-letter name!