[OT] RE: formmail spammers
Last week there was a post to bugtraq about ways to exploit badly written scripts using cdonts.newmail, that exploited the fact that there was a SMTP conversation going on behind the scenes. This type of exploit can probably be used on a ton of other form mail type things, that use SMTP in the back end. http://www.nextgenss.com/papers/aspmail.pdf the quick summary is make sure you strip out \r's and \n's from fields that can't or shouldn't have them. The example uses a to address like this http://www.company.com/newsletter.asp?[EMAIL PROTECTED]%0D%0Adata%0D% 0ASubject:%20Spoofed!%0D%0A%0D%0AHi,%0D%0AThis%20is%20a%20spoofed%20email%0D %0A.%0D%0Aquit%0D%0A and just blindly set the to field in newmail. adam > -Original Message- > From: A.T.Z. [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 14, 2002 9:22 AM > To: [EMAIL PROTECTED] > Subject: Re: formmail spammers > > > > >so, we've been having a spam problem lately due to formmail.pl. this > >thread prompted me to scan all our user directories and note people > >who had formmail.pl sitting around. > > We hardcoded the TO address in FormMail.pl and tell all our > customers to do > the same. > > Spammers trying to use the script will fail. Only the address > in the TO > field gets one messages.. > > Perhaps not the best solution around, but it will do until we > fix something > else. They don't get their spam out to the world. And we send > their ISP a > nice notification about what that user was trying to do. > Complete with > logfiles.. > > Once you're a know target they will come back.. > > Bye, > > > > B. >
Re: formmail spammers
The latest FormMail.pl has been fixed. They can go to Matt's Archive and get the latest copy. Geoffrey Young writes: > >> Right, and point them to NMS for a replacement too. > > so, we've been having a spam problem lately due to formmail.pl. this > thread prompted me to scan all our user directories and note people > who had formmail.pl sitting around. > > I would have liked a link to send them to for the NMS replacement, but > I saw two problems: > > 1. http://nms-cgi.sourceforge.net/ has only tarballs > 2. the name of the script has a different capitalization in the > tarball > > now, for us, this is a no-brainer. trying to get non-technical people > (which the vast majority of our hosting customers are) to make the > switch, though, will result in lots of headaches and support calls > (which are expensive)... > > is anyone here involved in this project? what we really need is to be > able to say: > > "hey, just plop this file http://nms-cgi.sourceforge.net/formmail.pl > in place of your old formmail.pl" > > --Geoff
Re: formmail spammers
>so, we've been having a spam problem lately due to formmail.pl. this >thread prompted me to scan all our user directories and note people >who had formmail.pl sitting around. We hardcoded the TO address in FormMail.pl and tell all our customers to do the same. Spammers trying to use the script will fail. Only the address in the TO field gets one messages.. Perhaps not the best solution around, but it will do until we fix something else. They don't get their spam out to the world. And we send their ISP a nice notification about what that user was trying to do. Complete with logfiles.. Once you're a know target they will come back.. Bye, B.
Re: formmail spammers
> Right, and point them to NMS for a replacement too. so, we've been having a spam problem lately due to formmail.pl. this thread prompted me to scan all our user directories and note people who had formmail.pl sitting around. I would have liked a link to send them to for the NMS replacement, but I saw two problems: 1. http://nms-cgi.sourceforge.net/ has only tarballs 2. the name of the script has a different capitalization in the tarball now, for us, this is a no-brainer. trying to get non-technical people (which the vast majority of our hosting customers are) to make the switch, though, will result in lots of headaches and support calls (which are expensive)... is anyone here involved in this project? what we really need is to be able to say: "hey, just plop this file http://nms-cgi.sourceforge.net/formmail.pl in place of your old formmail.pl" --Geoff
Re: formmail spammers
On Sat, 12 Jan 2002, Perrin Harkins wrote: > > http://www.spamassassin.org/ > > > > Without a doubt, the best anti-spam solution around. > > That looks great for solving the problem on my own account, Well it might look great, but the only result I've had from it so far is MORE SPAM! Mail:: SpamAssassin's "make test" failed for me (apparently similar problems have been seen and should have been fixed but aren't), no response from the mailing list (admittedly after only 24 hours:) to a question - but loads of spam through their list server! 73, Ged.
Re: formmail spammers
On Sat, 12 Jan 2002, Perrin Harkins wrote: > > http://www.spamassassin.org/ > > > > Without a doubt, the best anti-spam solution around. > > That looks great for solving the problem on my own account, but the > larger problem is that there are all of these insecure installations of > formmail.pl out there that spammers are using to send tons of mail. > It's like having an open relay. > > A program to check for these on Google and then alert the webmaster at > each offending site could be a really good thing. Right, and point them to NMS for a replacement too. -- <:->Get a smart net
Re: formmail spammers
> http://www.spamassassin.org/ > > Without a doubt, the best anti-spam solution around. That looks great for solving the problem on my own account, but the larger problem is that there are all of these insecure installations of formmail.pl out there that spammers are using to send tons of mail. It's like having an open relay. A program to check for these on Google and then alert the webmaster at each offending site could be a really good thing. - Perrin
Re: formmail spammers
On Fri, 11 Jan 2002, Perrin Harkins wrote: > > I assume I'm not the only one seeing a rash of formmail spam lately. > > Is THAT what it is? I have a Yahoo mail account which someone has been > sending literally thousands of messages per day to, CC'ing lots of > people on every one, and they all appear to be from some kind of > compromised form mailer script. I'm open to any suggestions. http://www.spamassassin.org/ Without a doubt, the best anti-spam solution around. -- <:->Get a smart net
Re: formmail spammers
> I assume I'm not the only one seeing a rash of formmail spam lately. Is THAT what it is? I have a Yahoo mail account which someone has been sending literally thousands of messages per day to, CC'ing lots of people on every one, and they all appear to be from some kind of compromised form mailer script. I'm open to any suggestions. - Perrin