Microsoft URL Control

Forum Moderators: DixonJones

Message Too Old, No Replies

Microsoft URL Control

POST to formmail.cgi all day long

idiotgirl

3:43 am on Feb 3, 2002 (gmt 0)

I've been bombarded by multiple requests such as:

64.175.108.44 - - [02/Feb/2002:09:32:39 -0500] "POST /cgi-bin/formmail.cgi HTTP/1.1" 200 813 "-" "Microsoft URL Control - 6.00.8862"

Over and over - asking for the same file, repeatedly, through one domain after another. Every one is a "POST" call. The IP varies just a little, but is from the same block.

I know just awhile back there was something suspicious with formmail.pl calls - some kind of hack attempt that was everyplace - but this is different because of the Microsoft URL Control in the string. This wasn't there during the last 'formmail' outbreak.

FWIW - none of the sites being queried have formmail.cgi in their bins.

Marcia

3:46 am on Feb 3, 2002 (gmt 0)

Yes, there was a hole in formmail.pl and people's sites were being used to send spam mail to multiple random AOL addresses. It happened to a few people here.

Bertie Bassett

11:03 am on May 19, 2002 (gmt 0)

hmmm.. yes we are still being spammed, I have updated the formmail from monkey.com,
FormMail Version 1.9s-p7
Modified 02/24/02 00:34:00 PST

but still getting spammed by the look of our web log.

Any ideas? What should I do? Any help appriciated.

>>>>snip from web log>>>>>

www.mydomain.com 63.42.241.225 - - [19/May/2002:11:28:48 +0100] "GET /cgi-bin/formmail.cgi?

NOTE: URL for formmail.pl download not necessary, removed the extra text for sideways scrolling ~Marcia

(edited by: Marcia at 1:32 pm (utc) on May 19, 2002)

bobriggs

1:09 pm on May 19, 2002 (gmt 0)

I'm not sure what the new security updates do, but the best thing you can do is to rename the file formmail to something obscure, like 'xxyaw2'. The bots are going around looking for formmail, FormMail, with .pl and .cgi as an extension.

Allowing only the POST method doesn't look like it will work because of the Microsoft URL Control post by idiotgirl.

Also, if the formmail will only be going to one contact, the 'recipient' field can be hardcoded.

idiotgirl - I would double-check that formmail is not in any cgi-bin on your server - That post that you mentioned gives a 200 OK response, where if it weren't found it would return 404.

Marcia

1:30 pm on May 19, 2002 (gmt 0)

>Also, if the formmail will only be going to one contact, the 'recipient' field can be hardcoded.

It's open source, and there are a couple of improved versions out that don't even have the email address for the recipient in the form. One uses an alias and is configured through the script (which still has to be re-named). It specifies right in the form which domains the mail can be sent from and to - so it can only technically go to the recipient, or recipients specified in the script.

The other uses a simple two-liner config text file that's referenced in the script. So neither of those have recipient on the HTML page itself and have some added functionality and security as well. They're both at sourceforge.net

This has been discussed widely this past week on email lists, people are getting hit left and right.

richlowe

5:06 pm on May 20, 2002 (gmt 0)

Formmail is full of holes. Some routines check the referrer field, others check other things. But there really is not a really good way to prevent a formail or formmail-like cgi routine from being used to spam. The mail routines that i use check referrer to be from my site, don't allow blank referrers and only allow one post an hour from the same IP.

Richard Lowe