Any way it could also be made to capture the IP of the perpetrator? That'd be a nice bonus! Then you could post the IP somewhere so folks could block him in the future. ;)

I had that happen to me one time, and a reverse lookup on the IP resolved to a PacBell DSL account. Obviously a rank amateur. So I wrote a script that logged the emails to a file instead of actually sending them. Of course I called it formmail.pl and made sure that the thank you and error pages looked identical to formmail. I was going to send it along with the accress logs off to PacBell's abuse but got busy and never got around to it. Anyway for quite a while this spammer had no idea the emails weren't going anywhere LOL. Eventually s/he figured it out and went away.

<added>If anyone's using formmail, there's newer versions that address this exploit on their site</added>

I've noted a few attempts to locate a formmail script in CGI-BIN. The would be hackers are from China so there's not much I can do about it. Though I'd love to write a script that would deliver a payload of my choosing to the IP requesting the file.

Whereabouts would you find the newer FormMail script versions? And how would you know (without actually testing 'em) which ones were newer? I'm going to need one soon....

I hope this is not a violation of the forum charter... Just search Google for: matts script archive

The source code of the script should have the version number.

Thanks, jamesa.

As I understand it, the problem comes mostly when you include urls, especially in link form. But I'm sure one of the moderators will correct me if I'm wrong. ;)

Actually, I'm already using one of his scripts, I just wasn't sure if it was one of those you were referring to or not. My cgi/perl knowledge is rather limited at the moment, so I'm not really sure how to tell if I've got a newer version that are better protected, or one of the older versions. Guess I'll just double-check the dates....

Coming back to asmish john's question about the formmail spoof...

I've pondered something similar myself, as I see it there are two problems with your plan;

1) You effectively say your formmail works - chances are they would be back soon and just throw as much traffic at that script as they could before you shut they down - obviously this is a bad thing if you have to pay for your bandwidth.

2) All the formmail scanners I've spotted in my logs rely on the return email rather than the status code. This means that you would have to send out at least one email, which in itself is exactly what they want as from here with enough time an patience they could trick your "spoof" formmail into doing exactly what the real one does...

My ponderings ran along these lines;

In order to scan they disclose an IP address (might be real, might be a proxy but either way it could then be blocked for a set period to slow repeat traffic).

More importantly they need to supply one or more working email addresses so that they can check the formmail isn't just some spoof script out to waste their time.

Since it's quite easy to spot formmail attempts going through a site so we could just add a little code to cycle through all the variables being passed for a formmail attack and extract the email addresses.

At this point the question of what to do with a file full of spammer email addresses raises its head :)

If you were a less ethically inclined individual you'd also realise that their scanning method only works if their reciept mailboxes aren't full of junkmail... (not that I'd suggest inserting that file on a site in an easy to harvest format, or even using them to subscribe to certain site "offers")

- Tony

I like your way of thinking, Dreamquick!

Of course, you're right. Submitting them to a busy non-opt-in listserv would also be rather unethical. ;)

However, another thought that would be entirely ethical would be to notify their local governmental law enforement agency of the theft attempt. Depending on the country involved, the local police (or FBI or whoever) might be interested to know what these folks are up to.

After all, using your bandwidth and server programs to send out spam is essentially theft. Even the attempt would be illegal in some countries.

Depending on the country involved, the local police (or FBI or whoever) might be interested to know what these folks are up to.

Doubtful, unless its politically sensitive or you can establish a high price tag as the costs you incurred because of these actions law enforcement agencies don't generally care.

Their ISPs might care but if these formmail hunters have half a clue they would bounce the request off proxies or a compromised machine to mask themselves.

To make any real progress against these guys you'd need to see what they were sending out and then harass whomever they are promoting. If this is an affiliate scheme then normally spamming is against the TOS and so you could make them forfeit their account.

And anyhow who said anything about list-serv's? I was thinking more of asking for them to be "removed" from a dozen or so junk emails that I deleted over the last week :)

- Tony

By the way, if its not obvious, if you do have and use a formmail.cgi, rename it to something like feedback.cgi
to reduce the hack attempts (remember to fix your HTML for the new name as well.

For the earlier question about earlier unsafe formmail, just make sure you are running version 1.92 (or newer)

Here is an idea. What if you set the fake formmail script(FFS) to:
1) Limit the emails to something like 5 per ip address accessing it. After that, it would only pretend to send out spam. This would effectively work as a check for those who look for the email coming through to their account, and in the worst case would allow 5 people to be spammed (maybe a few more if there were rotating ip addresses).
2) In those first 5 emails, send the user EXACTLY what they asked to send in the email (not alerting them to the fact that you are using a FFS, but also attach a 1x1 image in HTML code that will load when they load the email. This image will be on your server and will log ip/browser variables of anyone who views it (far less likely to be a proxy). I caught an ebay con-artist once like this.
3) Keep track of how many emails each ip address has 'sent', and after the first 1000, put a wait(5000) statement(or whatever equivalent in your particular language) so that it slows the process down (saving your bandwidth). The reason I would say wait until after 1000 is that the user might do some early speed checks with the first few emails to see if your server is fast enough to be worthwhile.
4) This one is questionable, but perhaps keep track of the list of recipients. The first time you see each address, send them a single email informing them of some ways to block out emails that have the formmail headers in them and why. I forget the specifics, but formmail sends out certain distinguishable headers. Also add in there that their email address has been added to a black list and this is the last message they will ever receive from you. Education is the best way to fight spam.

1) Limit the emails to something like 5 per ip address accessing it. After that, it would only pretend to send out spam.

I could come up with a list of *lots* of proxies in around five minutes.

Let's say I could find 100 (a very conservative figure, multiproxy has ~180 listed and there are lots of similar sites) that means I could spam 500 people using what was supposed to be a "detection" mechanism.

Realistically there is no reliable method to stop people abusing a formmail spoofer once you actually let it send out email, and once it works for one person I'm sure others will find out about it too - not to mention the complaints you and your host will get because you are the "source" of the spam.

- Tony

If you don't have the program, and don't ever intend too, is it considered bad to use a temporary redirect for formail.pl requests?

I like using a redirect to send such requests to a maps page at a portal. Once they reach the maps page, I assume they can find their own way home, and they're instantly off my site to boot. 8^)

Dreamquick, what if I also limited it to 10 per day (as in only the first two ip addresses would work that day ... all others would fail). Formmail is too easy to find for it to be worth the effort required to work out exactly how my script works as a black box.

kevinpate,

The easiest method is just to let them find a 404 status or possibly a 403, redirects are overkill since people looking for the script arent really interested in the content of the site...

ggrot,

That might work but it would still require a lot of work with regards to how they interact with it - if they simply check it works and then throw as much traffic as they can at it then that's less good because its still going to be using server resources and bandwidth.

- Tony