Venting spleen at the script kiddies

Memo to script kiddie spamming wankers:

I don’t use formmail!

I’m getting really pissed off with script kiddies poking around looking for a copy of formmail here at outofthetrees. For those that don’t know, formmail is a perl cgi script, written by a pillock chap called Matt Wright, that takes the information entered into a form on a web page and emails it to a specified recipient. It’s been around for ages, and is probably the most commonly used script on the web. Unfortunately, not only is it badly written, it’s also very, very insecure. The main problem is that in many versions, the recipient’s email address is placed in the form, rather than being hard coded into the script itself. This means that a malicious person could fool the script into acting as an ‘open relay’, sending out messages to the address/es of their choice, without it ever being traced back to them. Consequently, script kiddies and spammers often search the web looking for insecure formmail scripts to abuse.

Naturally I wouldn’t have formmail anywhere near this server, but that doesn’t stop people looking. And whenever anyone looks for it here, I get notified so I can complain to their ISP and block their IP address. Unfortunately, these probes are getting more and more frequent — in the last 48 hours alone there have been ten requests for formmail. This weekend’s IP address hall of shame (with the ISPs the wankers are using) is as follows:

208.234.34.202

Centennial DE Puerto Rico, www.centennialrd.com

200.246.46.189

Horizon Cablevision in Brazil, www.embratel.net.br

216.140.50.10

Broadwing Communications, Inc. in the US, www.broadwing.com

194.183.128.241

Teleport Consulting And System Management in Austria, www.tele.net

203.232.208.12

Korea Telecom, www.kornet.net

216.138.115.134

Airband Communications, Inc in the US, www.airband.com

204.191.14.2

Hexco in Canada, www.telus.com

202.234.220.205

The Fuji Fire & Marine Insurance in Japan

210.134.65.237

Space Communication Corporation in Japan

195.192.22.142

Educational institution connected to SEKTORNETNetwork for the Ministery of Education in Denmark

Also had some pathetic script kiddie using a computer at the University of York looking for a couple of crappy Microsoft vulnerabilities: /_vti_bin/owssvr.dll and /MSOffice/cltreq.asp. I emailed the admin at york.ac.uk at about 5.00pm on Friday, and to their credit I got a reply (from a human!) thanking me and promising to look into it a few minutes later. Quite refreshing.

Incidentally, anyone looking for a secure form to email perl script should check out nms scripts.

Leave a Reply