[Dshield] Strange stuff?

Johannes B. Ullrich jullrich at euclidian.com
Thu Oct 11 17:42:45 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Thu, 11 Oct 2001, Paul Marsh wrote:

> Yesterday and this morning I've seen the following entries in my OWA IIS
> log.
>
> 2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-bin/FormMail.pl
> <mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.213.81
> .107+7> email=tester


The 'formmail' cgi script is a commonly used script to send form
submissions via email to a web site owner/administrator.

However, the script allows the submitter to send email to any email
address, which basically makes it a nice tool to send out spam.

What you are seeing is a spammer probing your PC if formmail is installed.
Basically, the goal is to send an email to 'tester at aol.com'. The subject
line will tell 'tester' your IP address. If 'tester' recieves the email, a
big load of spam is sure to follow using the same hole.

  Johannes.



- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7xdoWVOIizK5pIDMRAkrNAJ9YJs7DVNZd45MnEM83UL0ipesOBACgmNCO
t4QMRajEUUgsgrdTB+RdSCY=
=LW9G
-----END PGP SIGNATURE-----




More information about the list mailing list