>We've had someone spamming / attacking our network last night / today. >We finally tracked it down. They were "relaying" off of a formmail script >on a website. >Found about 120 instances of BLAT.exe running. > >Killed the site. Brought it back up. Started again. > >I've since blocked the IP addresses being used and so far, so good. > >Anyone see this kind of abuse / attack / "relay" before?
yes, this is well-known vulnerability. there is even a database somewhere of formmail servers. >Any good way to block the abuse of someone's formmail or other script? Use imgate and RBL checks to stop this and other stuff before it gets to your mailbox server, not after. >Also, I've tracked this down to a provider in Virginia. Don't they have >some tough >laws down there? Anyone familiar with it and what can realistically be >done there? Best is to punish the provider by reporting his ip block to many RBL databases. Reduce your pain by increasing his pain. Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
