[Gllug] A spam a day......
Xander D Harkness
xander at harkness.co.uk
Tue Jun 26 08:57:14 UTC 2001
I just thought that I would relate an interesting little time I had
yesterday.
I got hit by a spammer, I knew this as I started receiving bounced
messages stating some of hotmail's accounts were unavaliable.
The spammer was sending messages to about 15-20 accounts at a time, from
nobody at localhost.
We had had a few problems in the past as the Sys Admin in Norway had
difficulty configuring the mail relay in Oslo and decided it would be
easier to leave it as an open relay. I agree it was easier up until
spammers found it :-)
I could not close of the source as I could not see one. It looked as if
the mails were being generated locally. I checked for users on the
machine (there are no other user accounts - or at least there should not
be).
To prevent the onward transmission of spam but to keep the mailserver up
I set up a dummy dns entry for Hotmail with no mx record.
In total I received about 300 mails (of 15-20 receipients) before I
found the source. We have third party contractors and one of them had
set up a webserver on the mailserver to analyse the mail traffic (using
anteater), on that they had a formmail.pl which had its referrers
limited to localhost. The spammer; however they was running a query to
bypass the limitation:
tcache-ta01.proxy.aol.com - - [26/Jun/2001:03:04:32 +0100] "GET
/cgi-bin/formmail.pl?email=Ricky at inet.com&recipient=alndeb at hotmail.com,alndez at hotmail.com,alndj at hotmail.com,alndk at hotmail.com,alndoris at hotmail.com,alnduc at hotmail.com,alndy at hotmail.com,alnea at hotmail.com,alnead at hotmail.com,alneaimi1 at hotmail.com,alneaimi at hotmail.com,alneal at hotmail.com,alneale at hotmail.com,alnear at hotmail.com,alnebe at hotmail.com,alnebo at hotmail.com,alnebr at hotmail.com,alneda at hotmail.com,alnedaa at hotmail.com,alneedleman at hotmail.com,alnef at hotmail.com&subject=Hey%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ay0mw&body=<br>++++++THIS+++SITE+++IS++GONNA++GET++CHA<br><br>%20%20%20%20%20%20%20%20CHECK+OUT+THE+SITE+BELOW<br><br>%20%20%20%20%20%20%20%20http://WWW.HALF-THAT-PRICE.NET<br><br>
HTTP/1.1" 404 347 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;
DigExt)"
The spammer must have had a huge mailing list: This is the web traffic
24 hours later; they still had not got past the "A's". It is
interesting to note also that the Ricky at inet.com email address which
appears rotates so it is not possible to tie it down.
I have deleted formmail.pl, it is a shame I cannot deal with persons who
install webservers willynilly, with similar ease.
I remember some months ago someone on list advised me to stay away from
Mats Script Archive - time to pass that information on :-)
Cheers
Xander
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list