Me too. Got hit twice this week from different IPs. Most likely they're spammers looking for the formmail script to send their spam out using our mail servers. If you're not using a mail script, then it's just an irritant.

If you are using one, it's always best to change the name to something off-the-wall so spammers can't find it when they go fishing. Better yet, secure it when not being used. If you have an unsecure mail script and a spammer finds and uses it, your server could easily get blacklisted by the different spamlists which will make your legitimate mails bounce as different ISPs and hosts start refusing to take your emails.

Hi Guys,

Maybe just spammers trying to send mails thru this cgi component, if you don't have it.. nothing to worry about.

-SwiZZ

Here is what I do:

Run the IP Number thru SpamCop (et. al.,) to ensure the correct ISP is located. Report that incursion (Formmail Queries are incursions) to the offendening ISP immediately using the entire string(s) as the case may be.

>If you're not using a mail script, then it's just an irritant.

To you, the viewer of access_log files, perhaps. To your Host Provider, maybe not as they're the ones who could be left holding the bag, or being blacklisted.

Do you want to be known as the one who sent the UCE/SPAM?

UCE/SPAMers can make it actually originate from your Host Server if allowed to go unchecked. While this may not happen directly to you, rest assured it has and will continue to happen to 'someone' unless all Formmail Queries are reported directly to the offending ISP as well as uce@ftc.gov in an effort to close as many loopholes throughout the Internet as we can.

In the last year I've closed down 6 or 7 open relays and several proxy servers with this methodology. Keep in mind that not all machine operators 'know all there is to know' or 'care' about solid, protected configurations and as such can unwittingly become a participant in the UCE/SPAM network....which is just what these incursions look for...unwilling accomplices who'll say nothing, nor do anything - thus allowing this un-natural relationship to continue.

When I report, I use the addy(s) provided by the service/application as well as tagging on 'support', 'ipadmin', 'hostmaster', 'tech', 'postmaster' and the Federal one. Trust me, at least one of them is going to pay serious attention to your complaint, whereas the more standard 'abuse' may not receive the same attention.

Don't just blow these incursions off as a 'nothing' thing. Formmail Queries are very serious matters and should be handled accordingly.

To conclude: Yes! By all means ban them...after you've reported them :)

Pendanticist.

To you, the viewer of access_log files, perhaps. To your Host Provider, maybe not as they're the ones who could be left holding the bag, or being blacklisted.

I disagree. A spammer cannot send out mail through a server when there is no mail script to use. Like I already posted, the best thing to do if someone is using one is to rename the script and secure it when not in use.

Do you want to be known as the one who sent the UCE/SPAM?

Oh please....stop overreacting. I've never used formmail and my host doesn't allow it on their servers. This doesn't stop spammers from fishing for it. They can very easily send out mail appearing to originate from yours, mine, or anyone else's account without ever coming close to our servers.

While this may not happen directly to you, rest assured it has and will continue to happen to 'someone' unless all Formmail Queries are reported directly to the offending ISP as well as uce@ftc.gov in an effort to close as many loopholes throughout the Internet as we can.

Now, that is very funny. The FTC doesn't get involved unless they see a big trend from the same offender. They don't have the manpower to go after all the spammers let alone all the con artists and scammers who prey on the public. There is still no federal law in place to give the FTC any teeth in this area. They've only gone after a very, very tiny percentage of the offenders. As for the ISPs, it depends where they are located and usually the size. In some countries, they don't care and some ISPs stateside don't either.

In the last year I've closed down 6 or 7 open relays and several proxy servers with this methodology.

Okay fine. While you closed a few open relays and proxies, I've helped the feds build winning court cases against many con artists and scammers. Someone fishing for a non-existent mail script on my server just doesn't rate high in the overall scheme of things.

[edited by: heini at 10:26 pm (utc) on Aug. 16, 2003]
[edit reason] see sticky mail, please. [/edit]

Remainder deleted by Pendanticist.

[edited by: heini at 10:27 pm (utc) on Aug. 16, 2003]

[edited by: pendanticist at 10:43 pm (utc) on Aug. 16, 2003]

I've been getting quite a lot of hits to "formmail.php" and similar over the last two months. Here are all the IP's. I'm banning them:

211.110.6.213
212.138.47.20
217.74.64.220

Hello,

I'm just getting back to dealing with this problem and I've noticed more and more hits to formmail.cgi. I filtered my log report to only show me those IPs who have requested anything that ends in CGI. I came up with quite a few IPs over the last few months and especially in August where the only files they are requesting are *.CGI's.

I'm trying to understand the replies you posted. The only thing I get when I go to that part of my website is a message about Matt's Script Archives. I think I was trying a while ago to set up a Poll and an online form. You asked if I was using a mail script. Can you explain what this does? I have mailboxes set up with my host and any mail that I get from the website is redirected to my home computer where I've set up my website emails under a separate account. I don't believe this is a script. How would a script differ? Would the visitor be able to post the email message right at my website via a form? Sorry for the questions.

Back when I first posted this message I went to my control panel for my website and deleted the formmail.cgi. Somehow these IPs are still able to visit this page so I must have deleted the wrong file. Would deleting the file be all there is to it? Should I still ban all of these IPs - especially since the CGI files are the only files they visited?

And finally, will I ever be able to use CGI type files (if I ever learn all there uses) and how do you protect them from those wishing to Spam?

Thanks for any help!

lotsa questions.. i'll try to answer one by one...

>> I'm just getting back to dealing with this problem and I've noticed more and more hits to formmail.cgi.

yep, there was a small flood of them lately

>> The only thing I get when I go to that part of my website is a message about Matt's Script Archives.

- if that happens when you enter /cig-bin/formmail.cgi (or formmail.pl) in your browser then you clearly have not deleted the file, otherwise you would get a 404 File Not Found error. Just do it.

>> I think I was trying a while ago to set up a Poll and an online form.

That's probably not related to the mail issue. Your host may have stored the formmail script on your domain for you, as a service, some hosts do that.

>> You asked if I was using a mail script. Can you explain what this does?

A mail script is basically a script that displays a form on a html page and sends what is entered into the form off to an email address.

>> I have mailboxes set up with my host and any mail that I get from the website is redirected to my home computer

No, that is not a mail script, no need to worry about those mailboxes.

>> How would a script differ?

To send to your mailboxes you just need to enter your email address in an email program like, say, outlook. To send email to you using a script, you had to visit the webpage that displayed the form.

>> Would the visitor be able to post the email message right at my website via a form?

Yes, that's exactly what formmail (a mail script) does. Your hosts mailboxes does not do this.

>> Sorry for the questions.

No problem ;)

>> Back when I first posted this message I went to my control panel for my website and deleted the formmail.cgi.

If you do not get that 404 error when you enter the address in your browser it's not deleted. It's a bullet proof check - if a 404 displays you have deleted it for sure.

>> Somehow these IPs are still able to visit this page

They will still be able to request the file and the requests will still show up in your log files, but all they will get if it's deleted are "404 page not found" errors.

>> so I must have deleted the wrong file.

Perhaps your file does not end in ".cgi" but in ".pl" in stead. If you have both, delete both.

>> Would deleting the file be all there is to it?

Yes, see also the answers posted to your other thread:
[webmasterworld.com...]

>> Should I still ban all of these IPs - especially since the CGI files are the only files they visited?

That's answered in the other thread i believe.

>> And finally, will I ever be able to use CGI type files

Yes of course, no problem. Deleting one html file does not stop you from using them again, does it? CGI's are the same thing, they're just able to do a bit more than html.

>> and how do you protect them from those wishing to Spam?

That all depends on which script you are using. There's some advice in the other thread already, the most obvious being renaming the file.

You can also modify the script so that is only can send when activated from your domain, or can only send to addresses that are approved by you in advance, or only can be used by people having certain browsers or (not) having certain IP-ranges. There's a lot of opportinities, but it requires some modification of the script itself.

Here's a more secure version of the old formmail script by the way:
[nms-cgi.sourceforge.net...]

/claus

Thank you for the detailed response. Sometimes I think I understand everything and then there are those gray areas . . . you helped me close the loop.

Creating the website last year and building it to what it is today has been a big accomplishment for me. I've set some goals for myself this year which is to create a database and learn more about scripts so I'll have to snoop around in the archives here.

Again, I appreciate all the help!

Formmail.CGI is back! I deleted it last night and got a 404 error when requesting that page and at 3:00 p.m. last night the file appeared in my file manager again. The only reason I know is that the page was successfully requested from a visitor today that showed up in my logs. How is this possible? My web host said they do not automatically provide this file to customers. My file manager is HostingDirector 3.5 by Sphera and it is run from a Linux operating system. What do you think is going on?

>> HostingDirector 3.5 by Sphera

I searched for this and found a demo (Sphera is apparently a Japanese firm) and the manual as well. It seems that this is a "feature" of the Sphera system. Not a very good feature, but still a feature. The formmail script is simply built-in and i suppose it gets restored from a backup if it gets deleted.

That's very bad, as this way you cannot delete it or rename it, it will always be there. Plus you have no control over which version is used, so you can't be sure about your own security.

You'll have to look through your control panel to find the "Installed ValueApps" list and then somehow disable it there. After that, delete the file. It should be available through the "Collaboration" tab/section - i did not understand the japanese demo, this is what the manual suggests. I you cannot do this, your host will need to do it for you

Also, i'd email your host and suggest they disable the FormMail part by default, as it will get them more problems than customer satisfaction.

/claus

Hi Claus,

I found what you were talking about in my File Manager. I found a Guestbook installed ValueApp in there that must be the problem. The Formmail.cgi restored itself again last night so I deleted it again this morning. I do recall now trying to figure out how to do a Guestbook since the one I currently have is a free version that has pop-ups. I never did have the time to figure out the Guestbook! I will notify my host about your suggestions. Thanks.

Update: Apparently the Guestbook is not the culprit and the problem is what you first suggested which is a default file that get restored every night as a Kron (sp?) job. My host created a zero byte, zero permission file and named it formmail.cgi and said this should do the trick. Also, they said if I ever want to use a script in the future that I could name it a different name.

I don't know anything specifically about your system, but if it's on apache, you can use mod_rewrite in .htaccess to ban any user that tries to access formmail.

A more simple solution would be to redirect any request for formmail.pl (hopefully to dev/null)