The Lurker

Latest posts | Archive

posted by ajf on 2003-04-19 at 05:07 am

My web site access logs frequently show entries like this:

GET /cgi-bin/formmail.pl?email=rockstar@mail.com& realname=rockstar@mail.com& recipient=ranchopride888@epimp.com& subject=www.lurking.org/cgi-bin/formmail.pl

This show a spammer trying to find a widely-used script which is used to send the contents of a submitted web page form to an email address. The script in question doesn't (and, because of the way it is normally used, generally can't) verify that the form sent to it is a legitimate user of the web site; thus it can be and is used by spammers to send out bulk email.

The "email" and "realname" fields supply the name and email address used by the mail script to indicate to the recipient who the email is coming from. The spammer doesn't care about this, so he uses a fake address. The "subject" field in this example corresponds to the URL it is probing. But, most importantly, the "recipient" is a real live email address used by the spammer.

You can see by searching Google for ranchopride888@epimp.com that this spammer's email address appears in the access logs of several unrelated web sites, and nowhere else. Every email sent to that address contains in its Subject line the address of an exploitable formmail script.

Well, every email except the ones that result from spammers' spiders finding the email address on a web site...

Related topics: Web

All timestamps are Melbourne time.