Nice formmail.pl probes

[Jim Forster <jforster () rapidnet com>]

Nope - These systems are a mix of OSs, no formmail on any boxes in these classes.  They're just shooting the packet 
blindly when they find a HTTP response.  (I suppose though, sweep a few hundred thousand IPs, you're bound to find some 
fun sites to bounce from)
I never kicked the rule up until last night, so I wasn't aware these were flying around, manually directed, or a worm.
The goodies:
POST /cgi-bin/formmail.pl HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..User-Agent: 
Microsoft URL Control - 6.00.8 Host:www.server.com..Content-Length:135..Cache-Control:no-cache...email=server () server 
com&recipient=idiot () aol com&subject=www.server.com/cgi-bin/formmail.pl&=www.server.com


---==On Thu, 28 Feb 2002 16:38:02 -0500 (EST), Todd wrote==---
> Actually, it may be that your formail.pl script is being used as a
> spam
> relay and the bounced messages that you are seeing are from AOL
> relating to invalid receipients...
>
> - Todd
>
> On Thu, 28 Feb 2002, Chris Green wrote:
>
> >  Jim Forster <jforster () rapidnet com> writes:
> >
> >  > Anyone else seeing a formmail.pl search script running around
> > your
> >  > websites?
> >
> >  It's right behind cmd.exe on things people try to access.  There
> > are
> >  tons of spam programs that will take advantage of it.
> >
> >  > I was hit with it from users of pacbell.net, kscable.com,
> >  > BFLO.splitrock.net, shreveport.la.da.uu.net, and tc.ph.cox.net
> > last
> >  > night, over 3 different class C's.  The subject was either "w00t
> >  > x.com" or "www.x.com" (x being the domain it hit) going out to
> > their
> >  > addresses.  (nice their script left me contact info anyway) ;)
> > I'm
> >  > guesing worm, as 90% of the 'send to' addresses were the same AOL
> >  > user - the other 10% were other AOL usernames.
> >
> >  Not a worm, its people excited they can MAKE FUNNY FAST.  ( I would
> >  have said money but I'm sick of getting bounces back to the
> >  list/myself on stupid mail filters )
> >
> >  Aol accounts are just disposable
> >  --
> >  Chris Green <cmg () uab edu>
> >  I've had a perfectly wonderful evening. But this wasn't it.
> >    -- Groucho Marx
> >
> >  _______________________________________________
> >  Snort-users mailing list
> >  Snort-users () lists sourceforge net
> >  Go to this URL to change user options or unsubscribe:
> >  https://lists.sourceforge.net/lists/listinfo/snort-users
> >  Snort-users list archive:
> >  http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--------------------------------------------------------------------
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforster () rapidnet com on 02/28/2002
Network Administrator
RapidNet, A Golden West Company



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users