What I do to bring some order to the insanity is

RewriteRule ^/(default\.ida¦cgi-bin/(FormMail¦formmail)\.(pl¦cgi)¦.*_vti_.*¦cltreq\.asp)$ /blank.html [L,E=dont-log:1]

where blank.html is a 0 byte empty file. This is to prevent them from using up too many server resources.

While my logging goes like this:

CustomLog logs/access.log combined env=!dont-log

So the formail hits don't clutter up my logs.

Out of sight, out of mind and I just don't worry about them anymore.

(PS: This takes care of another bunch of IIS exploits, which simply don't apply to ma Apache setup)

SN

I don't know how intelligent the scanning software that is looking for formmail.pl is; but I can easily imagine a new, amateurish version simply looking for anything _OTHER_ than 404.

[L,E=dont-log:1]

to

[L,E=dont-log:1,R=404]

then.

Personally I just didn't want to return my default 404 which is a few k, and a waste of my bandwidth in this case.

Otherwise I still think it's good.

SN

In the past when I had some time on my hands I sometimes identified the perpetrator's ISP and complained to abuse@... . No response except for once when they asked me to provide the e-mail headers. Idiots.