Some wise thoughts mentioned in passing in this thread brought back a painful memory.

About 17 months ago. I got called in from vacation because the mail spool was filling up with bounced spam. In about an hour our 200MHZ box had gotten about 600 bounces of mis addressed spams.

Looking at the headers, it wasn't hard to narrow the problem down to a very early version of NMS FormMail.pl that I had installed. I guess my life is pretty good that this rates as one of its suckier moments.

I pulled the script. Then I upgraded to a later more secure version of NMS (checking the release notes!), I renamed the new script to SomethingElse.pl and pasted the following into FormMail.pl


#!/usr/local/bin/perl -w
# dummy script to honeypot Spammers

use strict;
use CGI;
my $foo=new CGI;
print $foo->header();
print "\n";
my $file="../upload/crack/fake/$$"."_".time().".txt";
Dump_CGI_Info($file);
sleep(5);
# takes current form and environment values
# and dumps htem to a file

sub Dump_CGI_Info {
    $file = shift;

    if ( !open( FH, '>>', $file ) ) { print "couldn't open $file\n"; r
+eturn; }

    my $cgi = new CGI;
    my $key;

    foreach $key ( sort keys %ENV ) {
        my $spaces = ' ' x ( 30 - length($key) );
        print FH "$key $spaces $ENV{$key}\n";
    }
    print FH "\n\n";
    no strict;
    $cgi->save(FH);
    use strict;
}

[download]

I get probed every couple weeks. I guess it isn't hard to google for "formmail.pl" and (sadly) I can imagine system administrators with even less clue than me and my crew. Some folks might not notice much more than a sudden and permanent increase in disc activity...

update: fixed typos



email: mandog

Replies are listed 'Best First'.
Re: FormMail.pl trauma memories
by hossman (Prior) on Sep 08, 2003 at 07:13 UTC

    Well, I'm not sure how much usefull information you're going to get out of the files you save ... I generally presume most of these folks are using throw away IPs from dialup ISPs. The sleep(5) looks like the best part of this whole thing to me since a spammer is less likely to use a site that seems to take 5 seconds to "send" a msg.

    But why stop at 5 seconds? and why only waste their time, when you can waste their RAM? (and if they are acctually loging your CGI output for any reason: their disk as well) 

    ...
while (1) {
   sleep rand(5);
   my $r = rand(100);
   for (my $i = 0; $i < $r; $i++) {
      print "die you filthy low life scum bag, die!!!";
   }
}

    [download]
[reply]
[d/l]
[select]

      I'm reluctant to fire back too hard for fear of collateral damage. The original attack came from a technical school in Eastern Europe. The attacks stopped after I contacted abuse@... It wouldn't make my day if somebody nuked servers at my day job because one fo the kiddies had been cracked.

      I just did a whois <REMOTE_ADDR> for the 4 attacks in the past 9 days. I didn't get many clear targets. One IP# is pretty clearly a web hotel..

      I haven't been as good as I should be about following up w/ abuse complaints...



      email: mandog
[reply]
Re: FormMail.pl trauma memories
by submersible_toaster (Chaplain) on Sep 08, 2003 at 07:40 UTC

    sleep 5 is IMHO the shallow end of hackback approaches. As suggested by hossman returning a clear message to your spammer is an option, largely to disorient or bloat a bot at the other end. One of many discussions on slashdot include things like sieving through identified spam , following the 'unsubscribe' links but mangling them to remove the http://spamdomain.here.com/snoopy?victimid=spamvictim@there.com to POST large annoying messages to thwart the good-hit counting.

    When all is said and done, doing anything to defend yourself against spam is joining an arms race. Be careful.


    I can't believe it's not psellchecked
[reply]
[d/l]

Back to Meditations