[geeks] Anti-Spammer Tool

Greg A. Woods woods at weird.com
Sat Apr 6 01:30:02 CST 2002 

[ On Friday, April 5, 2002 at 19:05:04 (-0600), Jonathan C. Patschke wrote: ]
> Subject: [geeks] Anti-Spammer Tool
>
>      I looked in my Apache logs this week and found out that lots of
> little bastards are trying to exploit (the non-existent) formmail CGI on
> my system.  Rather than be content with the 404s they're getting, I wrote
> a CGI in Bourne shell that looks up their netblock administrator in WHOIS,
> looks up their domain administrator using DNS, and emails Postmaster and
> abuse at the resulting domains.  It also returns a customizably nasty
> error message, hopefully scaring the crap out of someone doing it
> manually, or inviting more abuse (and, thus, more reports) from an
> auto-spammer.

Please please PLEASE do not implement any such thing without putting in
VERY carefully tested controls to limit the number of e-mails it can
send to a given address over a given period of time.

As it is it sounds like your script is a perfect D.o.S. tool, and if you
were to convince a significant number of people to implement it then it
would become a D.D.o.S. tool of increasingly drastic proportions as it
spread about.

Those of us on the receiving end of such e-mails will quickly firewall
any such incoming messages if we even suspect they'll run rampant.  I
cannot afford to have noise about such innocuous activities clogging my
mailboxes and taking my time away from real problems.

Most of us don't really have any ability to do anything about such
activities either.  Such scanning is not illegal and it's not even
damaging (unless the little beggars find an exploitable script, but of
course in that case half the blame lies with the lame-o webmaster who
left it exploitable).

>      Any comments, improvements, corrections, and suggestions will be
> gratefully accepted.  I can guarantee you that it's not the most efficient
> use of /bin/sh or sed or awk, but it gets the job done, and it's fairly
> easy-to-follow.

Please limit those e-mails to at most one per week (or even longer), and
keep them to as short a summary as humanly possible!

On the other hand it might be best if you simply destroy your script and
forget you ever wrote it.  Such a thing is pretty much useless for
achieving the desired result -- it'll more than likely cause the
opposite reaction to what you desire.

(Not that dozens of others haven't done very much the same already --
why else would I be complaining about this?  Such scripts have been a
very real problem for me and some of my clients!)

>      Has anyone else been getting a -lot- of random hits for
> /cgi-bin/formmail.pl?

Well of course!  What do you expect?  There have been NUMEROUS warnings
of late in many forums about how stupidly lame and poorly written the
commly used formmail.pl CGI script is.  Spammers love such crap.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list