From owner-freebsd-security Mon Sep 21 05:54:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA01098 for freebsd-security-outgoing; Mon, 21 Sep 1998 05:54:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-05.igrin.co.nz [202.49.245.84]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01064 for ; Mon, 21 Sep 1998 05:54:08 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id AAA02742; Tue, 22 Sep 1998 00:53:14 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Tue, 22 Sep 1998 00:53:13 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809210010.SAA12487@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > By the way, just got a few more. What's this "formmail.pl" they're > testing for? there's a FormMail.pl on Matt's Script Archive, which sends the contents of a CGI form via email but can be subverted using a fudged http request so as to send to any address (referrer check). May not be this exact script they're after, but probably something along those lines. Probably you have someone looking to cover their tracks when sending mail. Spam or other nastyness. A CGI mail form should be configured with a list of mail addresses it may send to, and for what it's worth it should create a mail header containing the originating IP of the CGI request. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message