Found this page on formmail hacking. This site calls its page the hall of shame. Look like those poor guys had it. But looking at their page. Boy have they been hit. Looks as though there is a pattern with there hits. Maybe you all need to compare notes?

[achildscry.org...]

cybercat, i get the "403 Forbidden" when trying your link. I cannot even connect to the main site, but it's visible from G's cache. Are you sure you didn't just get me into a spider-trap by requesting that link using the wrong referrer?

Anyway, more info on that site here: [derkeiler.com...]

/claus

Try it now.

you're right, they must be popular... didn't see many entries using the main domain as referrer though, plus they seem to go straight ahead and pass parameters to the supposed file in stead of just checking if it exitst... seems a bit stupid, as they risk wasting their email addys on it...well, it's probably not theirs anyway...

<edit>typos</edit>

I went through that form-mail exploit page (nice find!), and have updated the RewriteCond to catch all the variants the previous version would have missed, plus added a bit more "power" to it...

RewriteCond %{REQUEST_URI} (.?mail.?form¦form¦(GM)?form.?.?mail¦.?mail)(2¦to)?\.?(asp¦cgi¦exe¦php¦pl¦pm)?$ [NC,OR]

claus, I saw you added the .asp & .php suffixes, cool, and I've also added .pm (perl module). Haven't seen it, but someone will try it sooner or later...

After looking at the exploit page, I see it's worth it to make the whole file extension optional. Two ?s in the right place (in bold) fixes that.

Spammers are certainly getting more inventive with the filenames they test, so I've made the regexp more expansive. (For one thing, before it would only catch "mail"; now it also catches "email"...) If I'm not wrong, there are 120 (!) base filenames caught with this RewriteCond now.

Ha-ha-ha... Out, damn spot! :)

I just came across this post. I designed a site and was using a guestbook from Matt i think. I kept getting trash from people saying "nice site try this" and a lot of German links. Most of the links were to no where. What does this do for the person sending these trash entries? How are they doing it. I changed the name of the page and it stopped. I also took the link off of the home page.

Can someone explain this?

megatech,

that's guestbook spam... its an attempt, hopeing that ypur guestbook is indexed in a search engine, to get inbound links and increase a site's ranking...

claus,

i've been tracking these guys since they first hit my site... i've never had and likely never will have any kind of formmail script... you should be able to search and find my post... i included a link to a page that contains all the scans up to the first of this year... there is a definite pattern... i even invited rockstar to come by and take a peek but i guess he wasn't twigged enough or else can be very quiet... in fact, searching for rockstar may very well get you that link in these forums... above is only the second time i've written that name in here...

wkitty42, i only found this: [webmasterworld.com...]

/claus

wierd, claus... i'll have to go hunt it down in my usage logs... i know that i posted it and that i did get some referrals from it... i'm sure that i posted it in these forums... its possible that it was removed... too bad the "my threads" link in the contrl panel only goes back thru the most recent 25 threads :( i'll try to sticky it to you when i locate it... if you don't hear from me about it, sticky me, ok?

balam your code here:

RewriteCond %{REQUEST_URI} (.?mail.?form¦form¦(GM)?form.?.?mail¦.?mail)(2¦to)?\.?(asp¦cgi¦exe¦php¦pl¦pm)?$ [NC,OR]

Would this affect legitimate use of formmail on our site?

We do use formmail a lot (realise it is not recommended etc) so would not want to stop legitimate users from using it.

visit_thailand:

I use modified versions (homebrew), but i still have the original script. The "Rewrite" will affect anyone requesting the file, also legitimate users. In stead you should restrict the use of formmail using the

@referers = "www.your-domain.com"

-array specified in the script to get a better security if you haven't already done so (it depends on the version you're running.) Also, if your mail forms sends mail to one address only, you could include this line in the formmail file:

$Config{'recipient'} = "mail\@your-domain.com" ;

That way the script will only send to one mail address, and it's no longer fit for mass mailings.

If you rename the formmail.pl file to "xhkahlkjfsh.pl" (just some random gibberish) you would still be able to catch those looking for exploits by using the Rewrite and even a spider trap with the name "formmail.pl", as they seem to go for the "(form)mail" name and a few extensions.

/claus

Thanks Claus, yes I have added all the @referrers etc but thanks for the tip.

I may well change the name of formmail but it would take a lot of work, wish I had done it at the beginning.

Okay, then you're better off than quite a few others :) There's a new version of formmail "NMS FormMail" located here:

[nms-cgi.sourceforge.net...]

It's even recommended on matts own pages. What this does is to close some security holes and fix some bugs. You might benefit from downloading it and replacing the version you have, if it's not this version already.

/claus

formmail hackers are cowards. This guy had some real guts:

218.8.102.8 - - [07/Aug/2003:14:35:31 -0400] "\x04\x01" 200 6796 "-" "-"
218.8.102.8 - - [07/Aug/2003:14:35:52 -0400] "\x05\x01" 200 6796 "-" "-"
218.8.102.8 - - [07/Aug/2003:14:35:53 -0400] "CONNECT 65.54.254.129:25 HTTP/1.1" 403 6822 "-" "-"

Stupid, perhaps. But gutsy nonetheless. :^)

218.8.102.8 traces to CNCGROUP Heilongjiang province network (surprise, surprise)
65.54.254.129 is mc1.law16.hotmail.com

I have some input on this subject also. First more evidence.
Here is my last log of a FormMail Phisher:

*** Self-Banned ***
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 403 3939 "-" "Mozilla/4.06 (Win95; I)"
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/Formmail.pl HTTP/1.1" 403 3939 "-" "Mozilla/4.06 (Win95; I)"
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.1" 403 3939 "-" "Mozilla/4.06 (Win95; I)"
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 698 "-" "Mozilla/4.06 (Win95; I)"
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/Formmail.cgi HTTP/1.1" 403 3939 "-" "Mozilla/4.06 (Win95; I)"
12.251.168.221 - - [18/Aug/2003:22:43:54 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.1" 403 3939 "-" "Mozilla/4.06 (Win95; I)"

This IP banned itself because I renamed Trap.pl to formmail.pl. All other attempts using variations of this spelling receive my custom 403 message, created via htaccess rewrite rules. I thought about adding the variations of the spelling, such as those in my log, but I realized that they always include the all lowercase formmail, so one trap is enough for now.

I use the NMS replacement for the MSA FormMail script, and I do not call it formmail; I use a non-descript title to hide it from phishers. Not only is the NMS script more secure, but it is fairly regularly updated by the London Perl Mongers, and has a wonderful feature labeled "%recipient_alias," which allows for substituting numbers for recipients, in the html form. This removes yet another spam harvesting vulnerability by cloaking your recipient(s). Instead of them being typed as email addresses in the form page, they are only accessible via the cgi script. I contacted the Mongers about the World readability of this script and was assured that it isn't doable, especially if you CHMOD the script to 711, as I do. 711 permits it to execute for the group and World, and only the owner can read and write to it. Thus, your aliases are safe.

I have written an article about this on request from my web host, after a shared-hosting account created a major server (spam relay) problem by installing an old, insecure version of MSA FormMail, which got hijacked. If anyone wants to see what I wrote, it is on my server at [wizcrafts.net ]

BTW: The NMS script is updated often and users should check the site and upgrade when there is a new release, unless you are a Perl programmer yourself and can patch the file manually.

I use the formail.php script as its the only version of the script that works on the nt4/iis 4 webserver.

In the past 3days I have received several dozens returned delivery failures for emails I never sent.
I wonder if this is as a result of the formail script, even though I've restriceted its use.

The .htaccess trap.pl solution will not work for me as of course .htaccess does not work on Wind0ze boxes.

Is there another way?

BTW i luv what they've done here...http://www.achildscry.org/hallofshame0a.html...i wonder how they can automate reports violations to isps.

Here are my logs for Sept 17 and 18, of the same FormMail Phisher getting 403'd, but look at all the spellings he was searching for. This is a good example of why we should use Balam and Claus's Rewrites for these exploits.

216.229.194.253 - - [17/Sep/2003:13:23:42 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:42 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi-local/FormMail.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi/FormMail.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi/Form.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi-bin/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi-local/Form.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:43 -0400] "POST /cgi-local/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:44 -0400] "POST /cgi-local/FormMail.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [17/Sep/2003:13:23:58 -0400] "POST /cgi/FormMail.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:04 -0400] "POST /cgi-local/FormMail.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:04 -0400] "POST /cgi/FormMail.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:04 -0400] "POST /cgi/FormMail.cgi HTTP/1.1" 403 4025 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:05 -0400] "POST /cgi/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:05 -0400] "POST /cgi-bin/Form.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:05 -0400] "POST /cgi-local/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:05 -0400] "POST /cgi-local/Form.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:05 -0400] "POST /cgi/Form.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"
216.229.194.253 - - [18/Sep/2003:07:25:06 -0400] "POST /cgi-bin/Form.cgi HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"

Wiz

Visit Thailand, I wouldn't rely on that @referers array for two reasons:

1) The HTTP_REFERER header is really easy to spoof.

2) A lot of people surf through firewalls that strip that header, so your formmail wouldn't work for these possibly legitimate requests.

At least you folks don't seem to have Global (Organized?) Formmail Queries [webmasterworld.com].

Pendanticist.

I found this thread when I searched Google for "216.229.194.253". I found that IP in my guestbook today along with a porn link posted by the user of that IP.

Coyote, as in

SetEnvIf Remote_Addr ^216\.229\.194\.253$ ban

?
He was banned because of numerous attempts to hack a FormMail script:

216.229.194.253 - - [17/Sep/2003:13:23:42 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 403 4027 "-" "Mozilla/4.06 (Win95; I)"

Wiz, that's the one I'm talking about. No formmail hack or attempt, but lots of GB spam. This IP is notorious for formmail hacking on various sites, though guestbook spam will probably show up on sites with GBs but without formmail (like mine).

216.229.194.253 -> Mississippi Dept. of Education

Has anybody reported all this activity to their sys admin? Or their teacher?

Jim

Has anybody reported all this activity to their sys admin? Or their teacher?

Yep. I'll let you know if I hear back from them.

216.229.194.253 came back again today, went straight for the guestbook but got a 403. Also, I have 213.206.5.89 banned for trying to hack formmail. This one came back today looking for formmail.php, got a 403. Last but not least, 140.239.165.237 made a single request to my cgi-bin for formmail.cgi, got a 404.

This one tried to hack formmail today: 151.197.183.209. The worst part is that, according to the error string in my log, they were trying to spam AOL users with my URL.

216.229.194.253 is still trying to get my guestbook.

216.229.194.253 [google.com]'s been a busy individual. This one visited me better than a month ago and his/her ISP still hasn't closed the account? Rabblesnabble!

Re: achildscry.org.

I found achildscry.org's list quite awhile back and was intrigued by their reported methodology also. Maybe I'll drop them a line.

Then, yesterday I discovered this one:

http*//www.softwolves.pp.se/misc/formmail_hall_of_shame/

Then, just a minute ago, I Goggled FormMail hall of shame [google.com] and judging by the results...

Anyways, me thinks it's time to start one of my own. Maybe echo the underscores "formmail_hall_of_shame" as shown in softwolves site.

Perhaps it'll do some good and perhaps not.

One thing is for sure. Given that so many of us here at WebmasterWorld apparently follow suit in banning Formmail Queries that others have reported, it also seems plausible that letting the World know who the culprits are...might not be such a bad idea.

<added>
You gotta see this!

http//www.bensbargains.net/ktalk/1061947067,48627,.shtml

Do a page search for 216.229.194.253 and see what you think.
</added>

<added-2>

Once I found "216.229.194.253:80" in some of those Googled links I then G'd that number and what do you think I found?
http*//www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=%22216%2E229%2E194%2E253%3A80%22
</added-2>

Pendanticist.

Re: bensbargains link - What the #$%&? I guess some idiots have nothing better to do.

Re: google link - Cripes...no wonder that IP has a bad reputation. Some part of me wants to find a list of all High Anon. Proxy IPs and and ban them.