[Dshield] Strange stuff?

Paul Marsh pmarsh at nmefdn.org
Fri Oct 12 12:15:11 GMT 2001


Cool thanx for the info, all of the out bounds are being stopped so this
human should move on to another system I hope.
What preventative, reactive measures should I be taking?

Thanx, Paul


-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
Sent: Thursday, October 11, 2001 1:43 PM
To: 'Dshield (E-mail)
Subject: Re: [Dshield] Strange stuff?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Thu, 11 Oct 2001, Paul Marsh wrote:

> Yesterday and this morning I've seen the following entries in my OWA IIS
> log.
>
> 2001-10-11 06:55:55 152.163.160.44 - 192.x.x.x GET /cgi-bin/FormMail.pl
>
<mailto:email=tester at aol.net&recipient=tester at aol.net&subject=P80+209.213.81
> .107+7> email=tester


The 'formmail' cgi script is a commonly used script to send form
submissions via email to a web site owner/administrator.

However, the script allows the submitter to send email to any email
address, which basically makes it a nice tool to send out spam.

What you are seeing is a spammer probing your PC if formmail is installed.
Basically, the goal is to send an email to 'tester at aol.com'. The subject
line will tell 'tester' your IP address. If 'tester' recieves the email, a
big load of spam is sure to follow using the same hole.

  Johannes.






More information about the list mailing list