Something such as, email has been sent to your isp's abuse address reporting this hack attempt. Hacking is illegal in...yada yada yada.

Those folks probably don't read the HTTP responses they get, they check if the system sends them an e-mail to their test address. So you could send them an e-mail there, forging the sender to be their ISPs abuse department, saying: "You have been reported for theft of service. We will boot you with the next complaint". (not implying that forging senders is legal, of course... ;))

yeh, it does look as if they are running some kind of script because the sequence is all the same - requests
/404.htm
/contact.htm
/cgi-bin/formmail.cgi
/cgi-bin/formail.pl
/cgibin/formail.cgi

etc.

But surely they are going to be using proxies so there is no point in looking up the isp.

Can send the logs to the abuse@mail address I guess. But again, this mailbox will only be a false temporary one.

What I'm thinking is to send 1000 mail messages indicating a false positive. This should a) fill up his mailbox to the max, b) make it harder to find formmail exploits if any poor souls out there are genuiunely hit.

hey frank,
if you came up with a script
then please post it here -
you might even want to add an automatic spam abuse
function for the sender ip ...

I found something a bit odd in my log files today
... "POST /cgi-bin/formmail.cgi HTTP/1.0" etc..

It gives an ISP address but no other info about who did this. I know there is a form mail script sitting in a folder somewhere on my domain but I've never used it (it was supplied by the hosting company). Is this at all related to what Frank_Rizzo is talking about and should I be worried? I've tried instaling an .htaccess file but as yet no luck (grr, no idea why), so I can't just block the folder.

shellycat,

Yeah, I'd be worried. Contact your hosting service if you can't find your formmail folder and block
it on your own. Ask them if they can just "delete it" for you. Many hosting services put common
scripts such as formmail in a single directory, and then use file links (a Unix thing) to make it
look like each hosted site has their own copy in their account space. My host does this, but only
allows POSTs that include my domain as the referer, thus avoiding what you are seeing. They
actually do this using Mod_rewrite at the server level, much the same as what you are trying to
do in .htaccess.

Jim

Cool, thank you. I didn't want to start deleting things with no reason, but I know which folder it's located in so I'll go do it now. :-D

shelleycat,

Or rename it to something else in a different folder, in case you need it later... I figured if
your hosting provider deleted it, they would also put it back. Probably too late, huh? :(

Jim

Oh, I should have mentioned, I downloaded a copy to my hard drive first :) It's a discrete little file which I can run from anywhere on my domain, or so they have told me, so I can upload it again where ever I need it when I want to use it.

There have been a couple more bots in there looking for it since I removed it too, so I think it was the right move to delete it for now :)

Shelley