[Gllug] A spam a day......

Xander D Harkness xander at harkness.co.uk
Tue Jun 26 08:57:14 UTC 2001

I just thought that I would relate an interesting little time I had 

I got hit by a spammer, I knew this as I started receiving bounced 
messages stating some of hotmail's accounts were unavaliable.  

The spammer was sending messages to about 15-20 accounts at a time, from 
nobody at localhost.

We had had a few problems in the past as the Sys Admin in Norway had 
difficulty configuring the mail relay in Oslo and decided it would be 
easier to leave it as an open relay.  I agree it was easier up until 
spammers found it :-)

I could not close of the source as I could not see one.  It looked as if 
the mails were being generated locally.  I checked for users on the 
machine (there are no other user accounts - or at least there should not 

To prevent the onward transmission of spam but to keep the mailserver up 
I set up a dummy dns entry for Hotmail with no mx record.  

In total I received about 300 mails (of 15-20 receipients) before I 
found the source.  We have third party contractors and one of them had 
set up a webserver on the mailserver to analyse the mail traffic (using 
anteater), on that they had a formmail.pl which had its referrers 
limited to localhost.  The spammer; however they was running a query to 
bypass the limitation:

tcache-ta01.proxy.aol.com - - [26/Jun/2001:03:04:32 +0100] "GET
/cgi-bin/formmail.pl?email=Ricky at inet.com&recipient=alndeb at hotmail.com,alndez at hotmail.com,alndj at hotmail.com,alndk at hotmail.com,alndoris at hotmail.com,alnduc at hotmail.com,alndy at hotmail.com,alnea at hotmail.com,alnead at hotmail.com,alneaimi1 at hotmail.com,alneaimi at hotmail.com,alneal at hotmail.com,alneale at hotmail.com,alnear at hotmail.com,alnebe at hotmail.com,alnebo at hotmail.com,alnebr at hotmail.com,alneda at hotmail.com,alnedaa at hotmail.com,alneedleman at hotmail.com,alnef at hotmail.com&subject=Hey%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ay0mw&body=<br>++++++THIS+++SITE+++IS++GONNA++GET++CHA<br><br>%20%20%20%20%20%20%20%20CHECK+OUT+THE+SITE+BELOW<br><br>%20%20%20%20%20%20%20%20http://WWW.HALF-THAT-PRICE.NET<br><br> 
HTTP/1.1" 404 347 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; 

The spammer must have had a huge mailing list: This is the web traffic 
24 hours later; they still had not got past the "A's".  It is 
interesting to note also that the Ricky at inet.com email address which 
appears rotates so it is not possible to tie it down.

I have deleted formmail.pl, it is a shame I cannot deal with persons who 
install webservers willynilly,  with similar ease.

I remember some months ago someone on list advised me to stay away from 
Mats Script Archive - time to pass that information on :-)


Gllug mailing list  -  Gllug at linux.co.uk

More information about the GLLUG mailing list