[OT] RE: formmail spammers

[Adam Prime <ap...@brunico.com>]

Last week there was a post to bugtraq about ways to exploit badly written
scripts using cdonts.newmail, that exploited the fact that there was a SMTP
conversation going on behind the scenes.  This type of exploit can probably
be used on a ton of other form mail type things, that use SMTP in the back
end.

http://www.nextgenss.com/papers/aspmail.pdf


the quick summary is make sure you strip out \r's and \n's from fields that
can't or shouldn't have them.  The example uses a to address like this

http://www.company.com/newsletter.asp?email=victim@spoofed.com%0D%0Adata%0D%
0ASubject:%20Spoofed!%0D%0A%0D%0AHi,%0D%0AThis%20is%20a%20spoofed%20email%0D
%0A.%0D%0Aquit%0D%0A

and just blindly set the to field in newmail.

adam


> -----Original Message-----
> From: A.T.Z. [mailto:verkoop@atz.nl]
> Sent: Monday, January 14, 2002 9:22 AM
> To: modperl@apache.org
> Subject: Re: formmail spammers
> 
> 
> 
> >so, we've been having a spam problem lately due to formmail.pl.  this
> >thread prompted me to scan all our user directories and note people
> >who had formmail.pl sitting around.
> 
> We hardcoded the TO address in FormMail.pl and tell all our 
> customers to do 
> the same.
> 
> Spammers trying to use the script will fail. Only the address 
> in the TO 
> field gets one messages..
> 
> Perhaps not the best solution around, but it will do until we 
> fix something 
> else. They don't get their spam out to the world. And we send 
> their ISP a 
> nice notification about what that user was trying to do. 
> Complete with 
> logfiles..
> 
> Once you're a know target they will come back..
> 
> Bye,
> 
> 
> 
> B.
>