[Dshield] Strange stuff?

Paul Marsh pmarsh at nmefdn.org
Thu Oct 11 13:55:40 GMT 2001


Yesterday and this morning I've seen the following entries in my OWA IIS
log.
 
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-bin/FormMail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.213.81
.107+7> email=tester
@aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+7 401 766 110 2394
80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-bin/formmail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
35> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+35
401 766 111 2414 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET
/cgi-bin/formmail/FormMail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
11> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+11
401 766 120 2494 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-sys/FormMail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
131> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+131
401 766 112 301 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi/FormMail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
19> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+19
401 766 107 310 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-sys/formmail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
67> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+67
401 766 111 441 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /scripts/formmail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
515> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+515
401 766 112 260 80 HTTP/1.0 - - -
2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /scripts/FormMail.pl
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+
259> email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.x.x.x+259
401 766 112 431 80 HTTP/1.0 - - -

At the same time I've found the following e-mail in exchange.
 
2  ImCr         ¥ó= RÁ        zipcode.office.aol.com x98A3A02C.pix.aol.com
< tester at aol.net <mailto:tester at aol.net> >   c=us;a= ;p=nellie
mae;l=EXCHANGE0110110655TP7S1331          A                      > rfc822
< tester at aol.net <mailto:tester at aol.net> >         P   
otmarket        tester%aol.net at 209.x.x.x <mailto:tester%aol.net at 209.x.x.x>
^G OD  EwLsReceived: from zipcode.office.aol.com (x98A3A02C.pix.aol.com
[152.163.160.44]) by exchange.org with SMTP (Microsoft Exchange Internet
Mail Service Version 5.5.2653.13)
 id TP7S1331; Thu, 11 Oct 2001 02:55:53 -0400
From: tester at aol.net <mailto:tester at aol.net> 
Subject: ORT 209.x.x.x 3

At the same time in event viewer I found a delivery attempt of the same
e-mail to 205.188.157.153
 
I'm taking a total guess on this so please enlighten me.  It looks like aol
is trying to relay mail through my exchange server?  I called aol and ask
them to investigate the situation and let me know but I don't think I'll
ever hear back from them.  Can someone please let me know what they think
this is.
 
Thanx, Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20011011/9bc5f0e7/attachment.htm


More information about the list mailing list