advice: spammer using script?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • yesca
    Junior Member
    • May 2004
    • 3
    #1

    advice: spammer using script?

    Hi all,

    I saw this (from yesterday) while looking at the "latest visitors" option in the cpanel stats.

    "Host: 70.32.89.38
    cgi-bin/mail.pl?recipient=Piscesali@aol.com&email=WaltersD ELGADO@Hogan.com&subject=http://"MYSITE.org"
    Http Code: 200 Date: Jan 31 02:48:47 Http Version: HTTP/1.1 Size in Bytes: 908
    Referer: -
    Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

    There are 43 entries with different "&email=WaltersDELGADO@Hogan.com" addresses.

    When I goto the link, i'm presented with the a variation of the following:

    "Thank You For Filling Out This Form
    Below is what you submitted to Piscesali@aol.com on Tuesday, February 1, 2005 at 18:51:34

    Holloway: <P ALIGN=CENTER><FONT COLOR="green" FACE="Verdana">They Are Deadly...</font> <font color=brown>hot... sweaty... and breathing heavy... its a damn good way to kill some time! <a href="http://he6l9o12u.tk">See what I mean Here</a>

    FormMail V1.92 © 1995 - 2002 Matt Wright
    A Free Product of Matt's Script Archive, Inc."



    Is this actually working for the jackass, or are these failed attempts?

    Thanks for any thoughts/advice.

    EDIT: fixed some spelling
    Tags: None
    • sdjl
      Senior Member
      • Mar 2004
      • 502
      #2
      Have you tried creating a link similar to the one they use and replacing the addresses used with ones that you can check?

      David
      -----
      Do you fear the obsolescence of the metanarrative apparatus of legitimation?

        Comment

        • Buddha
          Senior Member
          • Mar 2004
          • 825
          #3
          It's not the most secure script in the world. Up till version 1.91 it was wide open and 1.92 has just added a referrer check which can easily be fooled.

          Taking just a quick look ... the easiest way to secure the script would probably be to change line 393:

          Code:
              print MAIL "To: user@yourdomain.com\n";
          However, this won't stop the hackers from trying and you'll get all their junkmail. I would go find a new script.
          "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

            Comment

            • DesignURL
              Junior Member
              • May 2004
              • 19
              #4
              Not familiar with the script, but I think a lot of people scan for mail.pl in the cgi-bin directory. Maybe try renaming your script to something obscure, like: br549RL7.pl

                Comment

                • yesca
                  Junior Member
                  • May 2004
                  • 3
                  #5
                  sdjl,
                  doh! good idea.

                  Buddha,
                  yeah, saw that and changed it. I'm gonna look for a better script now.

                  DesignURL,
                  Will do until I replace it.

                  Thanks all.

                  FYI, I went through the lengthy "adelphia report abuse" deal...I doubt it'll help, but was worth a try. That little bastard just kept on hitting it, even though it wasn't working for him. I blocked his ip, so we'll see.

                    Comment

                    Previous template Next
                    Working...