Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Matt Wright FormMail Attacks

From: "Pence, Derek A." <Derek.Pence () Honeywell com>
Date: Mon, 14 Jan 2002 11:14:49 -0700
I've seen it be very successful. Without going into detail, there's a script out there that spammers seem to be passing
around that automatically formats and submits data to formmail.pl on remote boxes.  Sure enough... it works like a
charm.  If you are curious about the script they are using, just attach a sniffer to your inbound wire and enjoy.

Derek

-----Original Message-----
From: Turner, Keith [mailto:TurnerL () tea-emh1 army mil]
Sent: Monday, January 14, 2002 10:41 AM
To: 'Dmitri Smirnov'; 'incidents () securityfocus com'
Subject: RE: Matt Wright FormMail Attacks



I tried finding some information on these incidents this morning, after
noticing them in my logfiles.  Very little info is out there (at least,
reachable by search engines).  I found two messages, one in the
incidents.org archive and one in the securityfocus archive.  They didn't
provide much information though.
 My guess is one of the following: 1) Someone looking to send spam through
someone else's webserver. (Seems like that would be very inefficient).  2)
Someone looking for a new exploit, maybe testing the waters for a new worm.
3) Someone looking for a way to "forge" emails.  make it look like it came
from an email address of the affected domain.  The email header would go
right back to an address in the "forged" domain.

Any thoughts?  Maybe someone with the formmail.pl file can tell us what
happens if this incident is successful.

Keith



-----Original Message-----
From: Dmitri Smirnov [mailto:Dmitri.Smirnov () RoundHeaven com]
Sent: Sunday, January 13, 2002 12:57 PM
To: 'incidents () securityfocus com'
Subject: Matt Wright FormMail Attacks



Morning,
 
just found "Matt Wright FormMail Attacks" as number 5 in 'Top Five' on
aris.securityfocus.com. 
I've sent dozens of alerts to ISPs about formmail.pl incidents but still
having the probes from the same subnets (addresses) for few months already.
Looks like people are not serious about this probe. Is anybody know why
number of formmail.pl attacks is growing? May be it is a part of SPAM
toolkit or some very popular tool?

Dmitri Smirnov, SSCP

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: