Formmail Exploit

2025-04-02

We were just slammed by a "formmail" spammer. While the exploit is well known by now, I would like to give everyone the details of our case with the hope that it may save someone else the trouble that we went through.

On October 24, 2002 at 07:07:08 EST, a person or persons acquired an account with our company and immediately began sending what appears to be thousands of un-solicited e-mail through our system. When we noticed a sharp rise in server activity we traced it back to the account and disabled it.

We immediately backed up the account directories and files as evidence. This is what we found.

The person/persons uploaded 200 copies of a hacked "Formmail" script, (10 folders containing 20 scripts each), into the cgi-bin folder. Each script was loaded with up to 1000 e-mail addresses. Each e-mail was an advertisement for Search Engine Optimization, and each contained a link to the same "IP" address where a response form soliciting personal information was found. The filename of this form is form_s.html.

We contacted the ISP whos "IP" block contained the "IP" number found in the hacked "Formmail" scripts. The fear of being sued kept them pretty tight lipped. All we learned was that the "IP" number belonged to a dedicated server which was hosting virtual domains.

Judging by what I have discovered, this person/persons practice this using a hit-and-run tactic. It appears that any ISP is a potential target, with each execution usually involving multiple ISP's.

The one key may be in the form_s.html page which is used to gather personal data. In our case we noticed that the form may have been accessed from the root web directory of a dedicated server, and not from a virtual domain, as was suggested to us.

I would recommend that all of us, as web hosts, be extra careful when taking on new clients.

And if anyone locates a single page file called form_s.html, please save a copy of it before it gets deleted and e-mail it to me.

Thanks Everybody!