formmail spammers

[Mike Schienle <mg...@ivsoftware.com>]

Hi all -

I assume I'm not the only one seeing a rash of formmail spam lately. 
I don't have it on my system, but I get a handful of attempts at 
using it every day. This is the kind of thing I'm talking about:

/cgi-bin/formmail.pl?recipient=cexrf03@aol.com,&subject=Your%20site%20is%20great!&email=letmeout005@yahoo.com&=http://ivsoftware.com/cgi-bin/formmail.pl

Is there anything out there along the lines of the anti- 
MSIISProbes/NIMDA/CodeRed modules that will stop this and report it 
up the chain?
-- 

Mike Schienle
Interactive Visuals, Inc.
http://www.ivsoftware.com/

Re: formmail spammers

[Ged Haywood <ge...@www2.jubileegroup.co.uk>]

On Sat, 12 Jan 2002, Perrin Harkins wrote:

> > http://www.spamassassin.org/
> >
> > Without a doubt, the best anti-spam solution around.
> 
> That looks great for solving the problem on my own account,

Well it might look great, but the only result I've had from it so far
is MORE SPAM!  Mail:: SpamAssassin's "make test" failed for me
(apparently similar problems have been seen and should have been fixed
but aren't), no response from the mailing list (admittedly after only
24 hours:) to a question - but loads of spam through their list server!

73,
Ged.

Re: formmail spammers

["A.T.Z." <ve...@atz.nl>]

>so, we've been having a spam problem lately due to formmail.pl.  this
>thread prompted me to scan all our user directories and note people
>who had formmail.pl sitting around.

We hardcoded the TO address in FormMail.pl and tell all our customers to do 
the same.

Spammers trying to use the script will fail. Only the address in the TO 
field gets one messages..

Perhaps not the best solution around, but it will do until we fix something 
else. They don't get their spam out to the world. And we send their ISP a 
nice notification about what that user was trying to do. Complete with 
logfiles..

Once you're a know target they will come back..

Bye,



B.

Re: formmail spammers

["Angel R. Rivera" <an...@wolf.com>]

The latest FormMail.pl has been fixed. They can go to Matt's Archive and get 
the latest copy. 

Geoffrey Young writes: 

>  
>> Right, and point them to NMS for a replacement too.
> 
> so, we've been having a spam problem lately due to formmail.pl.  this
> thread prompted me to scan all our user directories and note people
> who had formmail.pl sitting around. 
> 
> I would have liked a link to send them to for the NMS replacement, but
> I saw two problems: 
> 
> 1. http://nms-cgi.sourceforge.net/ has only tarballs
> 2. the name of the script has a different capitalization in the
> tarball 
> 
> now, for us, this is a no-brainer.  trying to get non-technical people
> (which the vast majority of our hosting customers are) to make the
> switch, though, will result in lots of headaches and support calls
> (which are expensive)... 
> 
> is anyone here involved in this project?  what we really need is to be
> able to say: 
> 
> "hey, just plop this file http://nms-cgi.sourceforge.net/formmail.pl
> in place of your old formmail.pl" 
> 
> --Geoff
 

Re: formmail spammers

[Geoffrey Young <ge...@modperlcookbook.org>]

 
> Right, and point them to NMS for a replacement too.

so, we've been having a spam problem lately due to formmail.pl.  this
thread prompted me to scan all our user directories and note people
who had formmail.pl sitting around.

I would have liked a link to send them to for the NMS replacement, but
I saw two problems:

1. http://nms-cgi.sourceforge.net/ has only tarballs
2. the name of the script has a different capitalization in the
tarball

now, for us, this is a no-brainer.  trying to get non-technical people
(which the vast majority of our hosting customers are) to make the
switch, though, will result in lots of headaches and support calls
(which are expensive)...

is anyone here involved in this project?  what we really need is to be
able to say:

"hey, just plop this file http://nms-cgi.sourceforge.net/formmail.pl
in place of your old formmail.pl"

--Geoff

Re: formmail spammers

[Matt Sergeant <ma...@sergeant.org>]

On Sat, 12 Jan 2002, Perrin Harkins wrote:

> > http://www.spamassassin.org/
> >
> > Without a doubt, the best anti-spam solution around.
>
> That looks great for solving the problem on my own account, but the
> larger problem is that there are all of these insecure installations of
> formmail.pl out there that spammers are using to send tons of mail.
> It's like having an open relay.
>
> A program to check for these on Google and then alert the webmaster at
> each offending site could be a really good thing.

Right, and point them to NMS for a replacement too.

-- 
<!-- Matt -->
<:->Get a smart net</:->

Re: formmail spammers

[Perrin Harkins <pe...@elem.com>]

> http://www.spamassassin.org/
>
> Without a doubt, the best anti-spam solution around.

That looks great for solving the problem on my own account, but the
larger problem is that there are all of these insecure installations of
formmail.pl out there that spammers are using to send tons of mail.
It's like having an open relay.

A program to check for these on Google and then alert the webmaster at
each offending site could be a really good thing.

- Perrin

Re: formmail spammers

[Matt Sergeant <ma...@sergeant.org>]

On Fri, 11 Jan 2002, Perrin Harkins wrote:

> > I assume I'm not the only one seeing a rash of formmail spam lately.
>
> Is THAT what it is?  I have a Yahoo mail account which someone has been
> sending literally thousands of messages per day to, CC'ing lots of
> people on every one, and they all appear to be from some kind of
> compromised form mailer script.  I'm open to any suggestions.

http://www.spamassassin.org/

Without a doubt, the best anti-spam solution around.

-- 
<!-- Matt -->
<:->Get a smart net</:->

Re: formmail spammers

[Perrin Harkins <pe...@elem.com>]

> I assume I'm not the only one seeing a rash of formmail spam lately.

Is THAT what it is?  I have a Yahoo mail account which someone has been
sending literally thousands of messages per day to, CC'ing lots of
people on every one, and they all appear to be from some kind of
compromised form mailer script.  I'm open to any suggestions.

- Perrin