+++ Alan J. Flavell [exim-users] <19/01/02 17:12 +0000>:
> Btw - has there been some new piece of spamware recently deployed?
> We're getting a tremendous outbreak of spam with envelope senders like
> nobody@www.somewhere.dom, or apache@ or www@ ditto, as if spammers
> have been harvesting open web-to-mail relays and are now misusing them
> with a vengeance. Is there an RBL site somewhere that's blacklisting
> this kind of loophole?
This is the good old formmail.pl or some such script. Exploit was posted on
bugtraq a while back (after spammers started using it). Now, looks like
someone's written (trivial) bots to scan an IP block for open formmail and
then exploit it.
Someone needs to write a few teergrubes for this ... create a bogus
formmail.pl that takes and holds HTTP/GET requests for long periods of time.
-srs