[Dshield] Strange stuff?
Johannes B. Ullrich
jullrich at euclidian.com
Thu Oct 11 17:42:45 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 11 Oct 2001, Paul Marsh wrote:
> Yesterday and this morning I've seen the following entries in my OWA IIS
> 2001-10-11 06:55:55 22.214.171.124 - 192.x.x.x GET /cgi-bin/FormMail.pl
> <mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.213.81
> .107+7> email=tester
The 'formmail' cgi script is a commonly used script to send form
submissions via email to a web site owner/administrator.
However, the script allows the submitter to send email to any email
address, which basically makes it a nice tool to send out spam.
What you are seeing is a spammer probing your PC if formmail is installed.
Basically, the goal is to send an email to 'tester at aol.com'. The subject
line will tell 'tester' your IP address. If 'tester' recieves the email, a
big load of spam is sure to follow using the same hole.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list