email hack attack

gmdavis

About once every week or so, someone starts trying to find a mail resource on my site by typing in likely paths such as:

/cgi-bin/formmail.cgi
/cgi-bin/formmail.pl
/cgi-bin/FormMail.pl

I get 404 notifications for several similar URLs until they apparently find the right path. Next, I start getting mail returned to me that I did not send. (The "from" address is not mine but my server is set up to send any mail not at a real address to a certain account.) The headers are always screwed up, none of the "to" or "bcc" addresses are valid and the message body is unintelligible. Obviously, they are trying to hack my mail server and use it for some nefarious purpose.

I contacted my ISP and they said "Don't worry about it. It's impossible for them to send mail this way..." Well, if this were true, why is this attempted so often? Is this a well known hack and how can I guard against this?

Any insights?

goldbug

I'd be more worried about a Zack attack. He is after all, a Lego maniac.

😃 😃 😃

... I wonder if this dates me.

swr

FormMail from Matt's Script Archive has had a bad history of security problems. Make sure you have the latest version installed. Better yet, remove it completely, or (if you need the functionality) find an alternative.

I haven't looked very deeply at it, but NMS CGI appears to be an effort to recreate Matt's work in a more well-written manner:
http://nms-cgi.sourceforge.net/

drawmack

or just rename formmail.pl to 001fm002.pl then their searches won't find it

gmdavis

Well, I tried to get rid of formail, but I realized it is in a directory that I do not have in my site directory even though the URL says it is. (I guess the ISP has this above my directory and redirects all calls to it?)

I doubt the ISP will remove it for me (I will ask them) but I have tried some other things.

I tried creating a directory with the same name actually in my site. No effect.

I tried adding a file to my directory called "formmail.pl." No effect (Even other files I add to this directory are not accessible.

I tried adding a redirect to the .htaccess file in my top level directory. No effect.

BTW, I did find out this is FormMail-clone, a clone of Matt Wright's Original FormMail.cgi. However, I haven't been convinced that this is any less vulnerable to attack.

Any more ideas?

BuzzLY

Originally posted by goldbug
I'd be more worried about a Zack attack. He is after all, a Lego maniac.

😃 😃 😃

... I wonder if this dates me.

Yes, it does. And it's sad that I remember those commercials LOL