It would seem that cgi-sys on your system does contain formmail.pl.

If you do not have access to the cgi-sys directory, it may be a script that your sys admin has installed for system wide use.

Try putting the url to the script in your browsers address field and see if you get a responce from the script.

If you do, you need to contact your sys admin and have them use a more secure script.

This will cause your email address or IP to get blackholed.

formmail.pl is a notoriously insecure e-mail CGI which has been heavily used by spammers seeking to disguise their origins. It was originally written c. 1995 and was freely available from a Perl CGI script archive, so ended up being installed on many sites.

At one time (last year) my office website was seeing on order of 100-150 hits a day from people checking to see if formmail.pl was installed. Think how bad things might have been if they'd actually found it.

Aha - you are both correct ;-) I entered the url [mydomain.ca...] and this is what I received:

FormMail-Clone
This is FormMail-clone, a clone of FormMail.cgi. It is a clean room version for legal purposes (a less restrictive liscense), but should behave the exact same way as Matt Wright's Original, but contain none of his code.

I have filed a help desk response (this is issue #2 today!) but have yet to hear back.
Looks like I might need to be shopping around for a new host. If you know of a good, inexpensive host that provides raw traffic logs, a handful of email addresses, please feel free to sticky me. I am currently paying $12.99 US which is pretty inexpensive compared to what we have around here :-)

itrainu

One quite simple way to deal with this- if you intent to actualy use the script- is to rename it to a new (and whacky!) name. Then you know the name , but it is not the "normal" name.

Otherwise, just delete it and be done with it!

dave

I just sent you my Web host by sticky mail. :-))

Some webhosts have a protection in place which only allows the script to run from within the domain.

Although I've read of instances where the clone is still vulnerable, I've yet to see it occurr.

This is a sensitive subject in this open forum which is indexed by search engines :( and monitored by (from past experience) some not so honorable lurkers. :(

wilderness,

to say the least... for those that really care, rockstar,
you are included if you care, too... i've been keeping a
manually generated log from all formmail.* and mailto.*
scans of my system... if you are interested, and if the
moderators allow it, the url is

[wpusa.dynip.com...]

the interesting part is the pattern followed and how
persistent these guys are... the funny part is that i have
never had a formmail or mailto script of program on my
site... the most funny part is that they seem to assume that
my site is running winsomething software...

sorry guys, but that will /never/ happen :wink:

31 attempts at most any variation you can imagine :)

168.9.253.251 - - [06/Jun/2003:21:45:07 -0700] "POST /cgi-bin/FormMail HTTP/1.0" 404 - "http://mydomain.com" "Mozilla/4.06 (Win95; I)"