I was looking through my apache logs and I noticed the following entries thousands of times:

4.40.171.249 - - [09/Aug/2001:02:29:59 -0600] "GET /cgi-bin/formmail.pl?email=E10950@berkscounty.com&recipient=jzukas@aol.com,
stickman2@aol.com,noxacidum@aol.com,rnzir1@aol.com,
mailclerk@aol.com,&subject=Home+Based+Business++++++++
+gb

I figured they were exploiting my formmail script so I removed all formmail scripts from the server and it still continues!

Isnt it odd that these are showing up in apache files?

How can I stop this....help!

I've not actually experienced this myself (yet) but it sounds like a part solution is adding in a subroutine in your formmail.pl that checks for the referrer calling the script and only allows a validated call through (i.e. one from you own domains or IP)...

I honestly can't remember how to do this without spending ages looking back through my own stuff but I'm sure someone can help you out... At worst you could take a look at www.cgi-resources.com for a more secure formmail alternative.

Hope that helps

The problem is that I completely removed all formmail scripts from the server and it continues to happen. Its like they are running the script locally and somehow using port 80 to execute it.

Originally posted by WebSnail.net
I've not actually experienced this myself (yet) but it sounds like a part solution is adding in a subroutine in your formmail.pl that checks for the referrer calling the script and only allows a validated call through (i.e. one from you own domains or IP)...

I honestly can't remember how to do this without spending ages looking back through my own stuff but I'm sure someone can help you out... At worst you could take a look at www.cgi-resources.com for a more secure formmail alternative.

Hope that helps

You can also hard-code the recipient into the formmail script.

>> Search for the following line:

print MAIL "To: $Config{'recipient'}\n";

>> Replace it with:

print MAIL "To: you\@yourdomain.com\n";

You've removed formmail, and I'm guessing you've made sure there isn't a copy in the directory on that site, but is there the possibility that your user is uploading formmail for a short time, then removing it?

Originally posted by VetteMan


I figured they were exploiting my formmail script so I removed all formmail scripts from the server and it still continues!

Isnt it odd that these are showing up in apache files?

How can I stop this....help!


I've been through this twice now. The spammer is using an automated script to do the sending, and it may take hours before he realizes that you have removed formmail from your server and stops hammering it.

If you want to verify for yourself that he isn't actually accessing some hidden copy of formmail that you overlooked, just cut and paste one of the urls the spammer is using from your apache logs into your browser and see what it gets you. Don't forget to edit out everything after "recipient".

You can also just use htaccess to block the spammer's IP.

-Bob

I would also do a search with ARIN and get the IP block admin and contact them, as well as anyone else whos info you might be able to dig up.

Originally posted by Bob S..



I've been through this twice now. The spammer is using an automated script to do the sending, and it may take hours before he realizes that you have removed formmail from your server and stops hammering it.

If you want to verify for yourself that he isn't actually accessing some hidden copy of formmail that you overlooked, just cut and paste one of the urls the spammer is using from your apache logs into your browser and see what it gets you. Don't forget to edit out everything after "recipient".

You can also just use htaccess to block the spammer's IP.

-Bob

You hit this exactly on the head. Since I was only concentrating on the access logs I was still seeing the entries even though it wasnt executing the script since it was no longer there. Looking in the error logs they were getting a file not found.

I thought I was somewhat safe from this because I did have the recipient address hard coded in the script but they were able to exploit that. Anyone using formmail I would highly recommend getting a patched version which uses a seperate file for recipients at
http://www.mailvalley.com/formmail/

Originally posted by VetteMan

I thought I was somewhat safe from this because I did have the recipient address hard coded in the script but they were able to exploit that. Anyone using formmail I would highly recommend getting a patched version which uses a seperate file for recipients at
http://www.mailvalley.com/formmail/

If you hard-code the recipient within the actual script, there's no way that they can get around it. They'd have to modify the actual script and obviously they don't have permission to do that.

Anyway, I know for a fact that it works because I receive all of the spam instead of it being sent out. :D

It's probably ***** ;)

Better email them and tell them to stop!

Originally posted by B-Broker
It's probably ***** ;)

Better email them and tell them to stop!


:laugh: I was thinking the same thing!