No.

Not unless you have a friend at the university who made a few attempts and then sent you an e-mail saying "Hey, thought you'd like to know I was able to hack into your formmail script. You should update it to a more secure version or replace it, and then rename it to something a little more obscure."

Block 'em and report 'em - with extreme prejudice.

Jim

Nope. If someone is searching for it, there is no motive except to see if access can be accomplished. Absent a
self test or a friendly vunerability test, there's no
other valid purpose for such requests.

Kevin outta Norman, America
who now uses temporary redirects for such requests

Ditto the above. I'd add to that, if you don't agree with their 'security testing' they shouldn't do it either in the first place...

Thanks Jim and Kevin. I concur.

Ditto the above. I'd add to that, if you don't agree with their 'security testing' they shouldn't do it either in the first place...

That's part of the rub, jeremy. You see, the Network Security person has attempted to minimalize my complaint.

Let me explain.

When I file my complaints, I always title them:

Formmail ATTACK from your IP Block. (It gets their attention. :o ).

I make no distinction between query, probe, attack, or attempt. In my mind, they are synonymous.

Here are chronological excerpts from two communications which took place yesterday (Monday, December 16, 2002).

Note: italicized depict my words and normal text those of the lone respondent.

Is there any evidence that this is specifically an attack?

Sounds like a question of semantics. What else might you call this, but an attack?

It could be an accident. In any case, if you wish to discuss semantics, what you detected was likely a probe, not an attack.

Quite the contrary, they are looking for flaws which would allow them to send UCE/SPAM from my host server.

Except for people who intentionally use and allow formmail access, and of course are either willing to live with the risks, or have patched their versions.

That's what I thought you were getting at. In other words, if one has formmail capability they have to accept the risk that some bottom feeder will eventually attempt to send UCE/SPAM from their domain. And, if they (the UCE/SPAMers) are successful, so what? Right?

The get on formmail.pl seemed to succeed, if 200 is the return code. Do you have a warning script in its place, or are you actually using formmail.pl?

No. I run a honey pot of sorts. In fact, I don't even have cgi-bins on my server. I just like to sit around and ambush bottom feeders who, uh, 'probe', as you've put it.

Unless you can make some sort of case as to why this is in fact an attack, we probably won't be able to act on it. If there's some sort of frequent repetition, or if there's an attempt at DDOS, please send E-mail to 'blahblah'.

There is no other purpose for formmail queries than to find a vulnerable server from which to spew out UCE/SPAM on the Internet. None. And you know it.

But just defining a GET request of /cgi-bin/formmail.pl is perhaps unusual, but we've checked our flows and the machine doesn't appear to be scanning in the traditional sense, or doing anything that we can see as unusual for a desktop workstation or web server.

Traditional sense? What kind of gibberish is that? Let's face it. Someone 'probed' me and you're justifying it.

I cannot tell you how disturbing it is to have a representative of 'Blah Blah' University minimalize what is/was clearly an attempt by someone from your facility execute this 'probe' and for you to, in affect, tell me it's my fault.

I truly hope this is not the kind of ethics prevalent at 'Blah Blah' University.

Later, 'Respondents Name Goes Here'

No, 'Respondent'. I think our conversation is over.

Shortly after I sent the last message to 'Respondent', (I don't even wish to disclose gender here) I forwarded it to members of the Faculty Senate, Board Members, the Campus News Service and for good measure threw in Hostmaster and Postmaster with my personal view of the event.

I've received no furthur communications, not even a bounce.

^{Does that sound seasonally lyrical to you, or is it just me?}

Yeaahh....not a creature was sturring...

While you folks mull this over, there's a package of (26/30 per pound) Black Tiger Shrimp and an Oriental Stir Fry (...from the Valley of the Jolly, Ho, Ho, Ho...) package in my freeze that has my name written alllllllll over it.

Pendanticist.

Send your message (with a good explanation) to higher ups in the university.

Quoting myself here:

Shortly after I sent the last message to 'Respondent', (I don't even wish to disclose gender here) I forwarded it to members of the Faculty Senate, Board Members, the Campus News Service and for good measure threw in Hostmaster and Postmaster with my personal view of the event.

Just a few minutes ago I heard from 'Respondent'. It seems that the Hostmaster has forwarded my accounting of ("Is Blah Blah University a haven for UCE/SPAMers?") to him/her/them/it.

This is "Respondent's" reply:

So apparently since our conversation was over, you decided you didn't like the answer, and went elsewhere. I'll have to give you points for persistence, but you'd lose those and more on the irrationality of your argument.

But we'll just agree to disagree on your view of formmail queries, since there's really no need to continue that argument again. I will say that your complaint was investigated, and it did not meet our criteria of an attack, that would justify any action against the person who committed it.

We've verified with the individual that it was an accident, and that is the end of things as far as we are concerned. It was not even a probe, but as I stated in my original reply to your message, an accident which happens occaisionally on the internet. If you have any further security issues or commentary, please send them to security@net.Blah Blah.edu, our group E-mail address.

^{Sometimes, I just gotta wonder how deep this issue really goes.}

I wish more Webmaster World members and viewers would weigh in on this.

Pendanticist.

has it stopped now?

pendanticist

It seems quite clear to me that

"Respondent" most likely = "Perpetrator"

:-)

There is no such thing as a erroneous formmail probe, certainly not if no path to a formmail script is embedded in your web page and was the origin of their request .. it is unauthorised searching for an exploitable weakness ..

Stopped?

Hey, around here it's once bitten, twice shy.

The moment I see a formmail query the offending IP is immediately banned in my .htaccess file.

As I used to say in the Marine Corps.

"I walk my post from flank to flank, and take no feces from any rank."

Pendanticist.

[edited by: pendanticist at 1:08 am (utc) on Dec. 18, 2002]

Well if it has stopped there is no problem, as it is a university sounds to me in that quote reply you posted that it may well have been a student messing around.

As someone posted make the formmail as secure as possible and then ignore the probes.

"Respondent" most likely = "Perpetrator"

That's why I forwarded the event to those mentioned earlier.

CYA, so to say.

Pendanticist.

Well if it has stopped there is no problem, as it is a university sounds to me in that quote reply you posted that it may well have been a student messing around.

No offense, but this sounds like minimalizing. Also, the offender was indentified (in my post) as an individual, not a student.

As someone posted make the formmail as secure as possible and then ignore the probes.

Why should I ignore the probes? Surely you don't believe ignoring these events will make them go away.

If folks want a reduction in the amount of UCE/SPAM in their mailboxes, this is my way of doing it.

As I said... (in part):

In fact, I don't even have cgi-bins on my server. I just like to sit around and ambush bottom feeders...

I maintain a zero tolerance position with respect to these events. Period.

Pendanticist.

"I maintain a zero tolerance position with respect to these events. Period. "

Me too.
Any probes or attempts are reported to abuse departments the same day.
Did one only this am as a matter of fact.

Nice to see others doing the same, Mark_A.

:)

Pendanticist.