Forum Moderators: DixonJones
200.174.69.242 - - [26/Apr/2003:21:46:34 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 858 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:21:46:34 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 855 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:20:19:01 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 849 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:18:17:17 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 861 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:18:17:19 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 861 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:14:50:48 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 852 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:14:50:50 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 846 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:13:24:21 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 846 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:11:24:51 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 849 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:11:24:51 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 858 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:09:58:30 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 852 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:09:14:15 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 852 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:07:57:18 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 855 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:07:57:19 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 852 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:00:50:42 -0700] "POST /cgi-bin/formmail.cgi HTTP/1.0" 200 858 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
200.174.69.242 - - [26/Apr/2003:00:50:42 -0700] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 855 "http*//blahblah.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
I've banned by IP Number weeks ago, but that does not stop him.
Anyway, I started noticing the vast majority of formmail queries, (in the last five or six months) all trail this data:
Windows 98; AIRF; .NET CLR 1.0.3705)
Even the ones from interbusiness.it (another known UCE/SPAMer haven).
Admittedly, I'm not quite functionally litterate at the moment, but could there be something to this?
I've read several older threads regarding IP Number spoofing and kind of understand the 'writing of packets' or something like that, what I'd like to know is - just how easily this might be done today?
Those threads were over a year old (as I recall), so maybe today's technology has surpassed older known techniques / technologies?
I'm asking, just how easy is it really to spoof an IP Number?
Is Embratel.net.br really so lame as to not take action against this user?
I'm also thinking open relay / proxy that might be able to 'intercept' my repeated Formmail Query complaints in some fashion. I mean, we was running nip and tuck there for awhile, but I think I wore him down for the night... <lol>
The only other thing I can add is to say I've never had this many FQs from anywhere in such a short period of time. Not even close.
I gotta git some sleep....
Thanks.
Pendanticist.
I've banned by IP Number weeks ago, but that does not stop him.
I'm confused. This IP or another? If this, then why didn't it come back 403? Sorry, it's late and I've probably passed the point of no return for coherency. Not that I'm all that coherent when I'm awake, mind you.
I'm asking, just how easy is it really to spoof an IP Number?
I don't know the answer to this. But, if it is easy or easier than it used to be, then I'm thinking we're all in trouble. I mean, for me anyway, I always considered banning an IP as a sort of last line of defense.
Okay, I just did a little Googling on how to spoof an IP, and of course, I couldn't come up with the instruction manual. Heh. :) But, I did find this little quote, "Every windows user who has ever been on a LAN party knows how to spoof an IP adress." I am so out of the loop.
I'm confused. This IP or another? If this, then why didn't it come back 403?
This IP Number (200.174.69.242), yes.
As to why no 403s:
Most IP Numbers that I've banned - are banned, but this one consistently slips through.
Colour me puzzled.
Pendanticist.
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)
and they are hitting my formmail really hard - whats the best way to stop them? I've never run into this sort of thing and not sure what to do. As look into I have been getting hit like this for days on end.
By the by, banning the entire 200 range doesn't work either, just in case you're contemplating trying that approach.
[sans.org...]
There's clearly no way you can prevent everybody everywhere from attempting this. Can't you simply hide formmail or otherwise make sure you have a version that is 100% secure? Once you do that there is no particular need to monitor these requests and spend your day banning IP addresses.
There's clearly no way you can prevent everybody everywhere from attempting this.
True jomaxx, but there are other issues at hand here which I like to persue. Namely, I like to report Formmail Queries to both the offender's ISP and their upstream provider.
I can't find the post right now, but I've closed roughly five open proxies in the last six months and I don't remember how many ISPs have reported as having "...taken appropriate action in accordance to our TOS agreement...".
Can't you simply hide formmail or otherwise make sure you have a version that is 100% secure?
Sure I could.
Consider this: According to a TV news source (this morning) regarding our Military personnel getting tons and tons of UCE/SPAM in Iraq. The reporter went on to say that only one person has to make a purchase (out of 100,000 UCE/SPAM messages sent) in order for the UCE/SPAMer to make a profit.
Pretty infinitesimal numbers there, if you ask me. Not to mention the consternation of folks who pay for their Internet connection by the minute to download all that UCE/SPAM.
Anyway, lest I digress - rather than run all my UCE/SPAM messages thru SpamCop (like I used to do), I now go for the throat (so-to-speak) by endevouring to shut down the offender executing the Formmail Query. I find that much, much more rewarding, especially when I get a chance to take away their ISP!
Once you do that there is no particular need to monitor these requests and spend your day banning IP addresses.
Couldn't dis-agree with you more. :)
It's the hunt jomaxx, not the kill. The kill is only the reward for a successful hunt.
This individual is particularly elusive...for now and I suspect IP Number spoofing as the cause.
See where I'm coming from now?
Pendanticist.
I don't use FormMail but I'd be happy to offer him a file that provides bogus email addresses. Our spider-trap ASP pages generate nearly one hundred thousand bogus emails and URLs to any spider hungry enough to hang around and eat them. I'm not familiar enough with perl to generate a similar FormMail.pl file. Is there a downside to stuffing these greedy spiders with useless crap?
Wayne
