Starting around 6am today, we saw a huge wave of Spam being sent through vulnerable customer scripts - nearly a dozen different incidents on different servers so far, all coordinated timewise and all originating from multiple IPs. Presumably someone spent the last week or two scanning for vulnerable scripts, then waited until 6am on a weekend to exploit the scripts.
These are the usual scripts customers like to use - older formmail, referral.cgi, nether-mail.pl. Some of them aren't as badly written as formmail, but they all seem vulnerable to embedded newlines in the user-supplied data.
Everyone might want to keep an eye out for this happening; it doesn't seem to be specific to us or our customers.
