Formmail

Forum Moderators: phranque

Message Too Old, No Replies

Formmail

Strange request for Formmail in log

Kevin

6:59 pm on Sep 18, 2002 (gmt 0)

I use Formmail to process enquiries from our site. 2 months about I changed the name of the file and checked I had the latest version as advised on this site.
Looking at yesterdays log I saw this

GET /cgi-bin/formmail.pl?recipient=formmailchecked@aol.com
&from=test@1.com&subject=www.**************.com//cgi-bin/formmail.pl HTTP/1.0

Can anyone enlighten me as to what the intent of this request is?

Thanks for your help

[edited by: DaveAtIFG at 12:31 am (utc) on Sep. 19, 2002]
[edit reason] Long URL forced side scroll [/edit]

andreasfriedrich

7:43 pm on Sep 18, 2002 (gmt 0)

Someone was testing whether she could send email through your formmail script.

pendanticist

9:44 pm on Sep 18, 2002 (gmt 0)

I'd like to add a novice querie to this thread.

I utilize no formail in any way, yet these requests have recently been showing up on Apache's stats.

Regs Mbytes

2670: 2.437: 16/Sep/02 02:27: /cgi-bin/FormMail.pl
1370: 1.344: 14/Sep/02 22:09: /cgi-bin/formmail.cgi

Any ideas as to:

How I can track down the culprit?
What I can do to prevent this in the future?
And, just exactly what is going on here?

Thanks for any/all input/advice.

Pendanticist

NameNick

9:59 pm on Sep 18, 2002 (gmt 0)

pendanticist,

And, just exactly what is going on here?

Someone who want to use buggy formmail scripts for e-mail spamming, checks if on your server runs such a buggy formmail version. Older versions of Matt Wrights formmail script allows everyone to send e-mails through the script from other servers without using the website's form. This opens all doors for spammers.

The new versions prevent this by checking the referring domain. Additionaly the webmaster have to define the recipient(s) e-mail address(es) in the script.

Greetings NN

pendanticist

10:15 pm on Sep 18, 2002 (gmt 0)

Soooo, if I'm not using formail or cgi-bins then I'm safe? Is that what you're saying?

Like, someone is just running around testing my site and I have nothing to worry about?

Just checked my newest stats and guess what?
Reqs Mbytes
1650: 1.534: 18/Sep/02 02:05: /cgi-bin/FormMail.pl

You'd think making these requests once or twice would be sufficient. But thousands? <Yikes!>

Is there anything I should be doing that I may not have considered doing?

Thanks again.

mivox

10:19 pm on Sep 18, 2002 (gmt 0)

Well, if you wanted to get fancy, you could probably add something to your .htaccess file that would either block or redirect any request containing the string "formmail", but it's not going to do you any harm to have people asking for access to a file that isn't there. (Unless you're getting so many requests it's slowing down your server response time for normal visitors, which seems unlikely.)

pendanticist

11:11 pm on Sep 18, 2002 (gmt 0)

Thanks all. Appreciate it :-)

andreasfriedrich

11:18 pm on Sep 18, 2002 (gmt 0)

You get all kinds of request of people scanning for malconfigured services. Just three example of requests that hit my apache server running on a linux box two days ago.

217.81.201.202 - -[17/Sep/2002:21:54:25+0200]
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

217.81.201.202 - - [17/Sep/2002:21:54:32 +0200]
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c
../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

217.81.201.202 - - [17/Sep/2002:21:54:33 +0200]
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 - "-" "-"

pendanticist

4:23 pm on Sep 19, 2002 (gmt 0)

Thanks mivox.
I don't think it's hammering my server too much, but I'd just as soon block them all from trying. Kinda makes me feel better. <weak smile>

Regarding tweaking the .htaccess files.

Is this how it'd be added to my file, or is does it need to be a wildcard somehow?

RewriteCond %{HTTP_USER_AGENT} ^formail [OR]

Thanks.

Pendanticist

satanclaus

4:35 pm on Sep 19, 2002 (gmt 0)

I see several hundred requests to that file daily. Probably not worth the trouble of having your server parse them out.

pendanticist

4:52 pm on Sep 19, 2002 (gmt 0)

Okeydokey.

Thanks again.

Pendanticist

andreasfriedrich

5:06 pm on Sep 19, 2002 (gmt 0)

pendanticist,

if you were trying to block those requests (and benchmark results [webmasterworld.com] suggest that it won�t matter significantly either way) then you would have to consider the following:

The server variables you may use are listed in the documentation on RewriteCond [httpd.apache.org].

Since you want to do something depending on a certain REQUEST_URI, ie the resource requested in the HTTP request line ('/cgi-bin/FormMail.(pl�cgi)'), you�d have to use that variable.

You want to block any request that starts with '/cgi-bin/formmail', so anchor your pattern at the start with '^'.

RedirectCond %{REQUEST_URI} ^/cgi-bin/formmail

The '.' has special meaning in regular expressions. It matches anything. To use the literal value of any character with special meaning you have to escape it with the '\'.

RedirectCond %{REQUEST_URI} ^/cgi-bin/formmail\.

If you want to specify the extensions that should be blocked as well ('pl' or 'cgi'), you�d have to write 'pl�cgi'. Think of the '�' as on OR. Since you only want to alternate between those extensions you need to group that expression. Grouping is done by enclosing the expression within '(' ')'.

RedirectCond %{REQUEST_URI} ^/cgi-bin/formmail\.(pl�cgi)

Since you don�t want the match to be case sensitive you need to add the 'NC' (No Case) flag.

RedirectCond %{REQUEST_URI} ^/cgi-bin/formmail\.(pl�cgi) [NC,OR]

Hope this helps even if you do not choose to block anything as your last post seems to suggest.

Andreas

Formmail

Strange request for Formmail in log

Kevin

andreasfriedrich

pendanticist

NameNick

pendanticist

mivox

pendanticist

andreasfriedrich

pendanticist

satanclaus

pendanticist

andreasfriedrich

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week