You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Adam Prime <ap...@brunico.com> on 2002/01/14 22:50:25 UTC
[OT] RE: formmail spammers
Last week there was a post to bugtraq about ways to exploit badly written
scripts using cdonts.newmail, that exploited the fact that there was a SMTP
conversation going on behind the scenes. This type of exploit can probably
be used on a ton of other form mail type things, that use SMTP in the back
end.
http://www.nextgenss.com/papers/aspmail.pdf
the quick summary is make sure you strip out \r's and \n's from fields that
can't or shouldn't have them. The example uses a to address like this
http://www.company.com/newsletter.asp?email=victim@spoofed.com%0D%0Adata%0D%
0ASubject:%20Spoofed!%0D%0A%0D%0AHi,%0D%0AThis%20is%20a%20spoofed%20email%0D
%0A.%0D%0Aquit%0D%0A
and just blindly set the to field in newmail.
adam
> -----Original Message-----
> From: A.T.Z. [mailto:verkoop@atz.nl]
> Sent: Monday, January 14, 2002 9:22 AM
> To: modperl@apache.org
> Subject: Re: formmail spammers
>
>
>
> >so, we've been having a spam problem lately due to formmail.pl. this
> >thread prompted me to scan all our user directories and note people
> >who had formmail.pl sitting around.
>
> We hardcoded the TO address in FormMail.pl and tell all our
> customers to do
> the same.
>
> Spammers trying to use the script will fail. Only the address
> in the TO
> field gets one messages..
>
> Perhaps not the best solution around, but it will do until we
> fix something
> else. They don't get their spam out to the world. And we send
> their ISP a
> nice notification about what that user was trying to do.
> Complete with
> logfiles..
>
> Once you're a know target they will come back..
>
> Bye,
>
>
>
> B.
>