hello list, someone is using our server to send spams. the log: Aug 5 18:33:33 tms sendmail[618]: g75GXVd00616: to=bennyb911@aol.com,bennybad@aol.com, ctladdr=wwwrun (30/65534), delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=151214, relay=mailin-04.mx.aol.com. [64.12.137.152], dsn=2.0.0, stat=Sent (OK) the received entry in the returned mail: Received: (from wwwrun@localhost) by tms.screendesign-net.de (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g75EvBW32281; any ideas what to do?? thanx, rutger kontakt: | tel.: 06341/9821252 r.frechen | email: r.frechen@gmx.de multimediadesign & | programmierung | ·--/\--· alfred-nobel-platz 1 | / \ 76829 landau | \ / germany | ·--\/--· email: r.frechen@gmx.de ___________________________________________________________ "We go where WE want." bye bill
rutger wrote:
Received: (from wwwrun@localhost) by tms.screendesign-net.de (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g75EvBW32281;
any ideas what to do??
remove frommail.pl from your Server and think next time what form-data you trust, and what not to put in hidden form-elements? Just my guess... Peter
hello peter,
do you mean formmail.pl??
and do you think then someone is using an
formular on one of our server's webpages??
but how could that possibly be relayed??
thanx, rutger
----------
Von: Peter Wiersig
Received: (from wwwrun@localhost) by tms.screendesign-net.de (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g75EvBW32281;
any ideas what to do??
remove frommail.pl from your Server and think next time what form-data you trust, and what not to put in hidden form-elements? Just my guess... Peter -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tuesday 06 August 2002 12:14, rutger wrote:
hello peter, do you mean formmail.pl?? and do you think then someone is using an formular on one of our server's webpages?? but how could that possibly be relayed??
Do you have a web page that sends mail to someone at your company, say a "contact us" page, for instance? And does that page store the "to" address in the html, in a hidden variable? If that's the case, all a person has to do is use "...&mailto=foo@bar.com&..." to send the mail to foo@bar.com through your server. Compare the mail log with the web server's access log. That might show you which page on your server has been used regards Anders
hello list,
yes, it seems, that this is the case.
i didnt get it in the first place, cause i never
heard of that possibility. i thought it was a problem
with the mailservers config.
thanx to jan l. for the hint, i will check that out.
have a nice day, rutger
----------
Von: Anders Johansson
hello peter, do you mean formmail.pl?? and do you think then someone is using an formular on one of our server's webpages?? but how could that possibly be relayed??
Do you have a web page that sends mail to someone at your company, say a "contact us" page, for instance? And does that page store the "to" address in the html, in a hidden variable? If that's the case, all a person has to do is use "...&mailto=foo@bar.com&..." to send the mail to foo@bar.com through your server. Compare the mail log with the web server's access log. That might show you which page on your server has been used regards Anders -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
There is (already a long time) a new version of formmail.pl, this is a known
bug,
check http://www.worldwidemart.com/scripts/
----- Original Message -----
From: "rutger"
hello peter, do you mean formmail.pl?? and do you think then someone is using an formular on one of our server's webpages?? but how could that possibly be relayed??
thanx, rutger
---------- Von: Peter Wiersig
Datum: Tue, 6 Aug 2002 11:43:28 +0200 An: suse-security@suse.com Betreff: Re: [suse-security] sendmail spam rutger wrote:
Received: (from wwwrun@localhost) by tms.screendesign-net.de (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) id g75EvBW32281;
any ideas what to do??
remove frommail.pl from your Server and think next time what form-data you trust, and what not to put in hidden form-elements?
Just my guess...
Peter
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tue, 6 Aug 2002 12:11:35 +0200, Jan Lybeert wrote:
There is (already a long time) a new version of formmail.pl, this is a known bug, check http://www.worldwidemart.com/scripts/
much better yet .... http://nms-cgi.sourceforge.net/ also information at http://www.monkeys.com/anti-spam/filtering/formmail.html Cheers/2, -- Maynard
rutger wrote:
hello peter, do you mean formmail.pl??
Yes.
and do you think then someone is using an formular on one of our server's webpages??
yes.
but how could that possibly be relayed??
"Received (from user@host)" means a locally generated message. And "relay=host" gives a hint to which host your mailservice delivered that message. Locally generated messages are normally not checked for relaying policy rules set by your mailservice config files. Peter
participants (5)
-
Anders Johansson
-
Jan Lybeert
-
Maynard
-
Peter Wiersig
-
rutger