Anyone else getting these emails?

web12

Well-Known Member
Nov 20, 2002
240
0
166
I am periodically getting these emails on 2 servers to different accounts... anyone else been getting these? it just doesnt make sense... is someone probing the servers for weaknesses again?

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Wed, 04 Jun 2003 13:28:33 -0400
Received: from name by server.name.net with local (Exim 3.36 #1)
id 19Nc3t-0006hT-00
for [email protected]; Wed, 04 Jun 2003 13:28:33 -0400
To: [email protected]
From: [email protected]
Subject: 5BJsbb EN4UxL6gg9Ts*31770*46026175*5BJsbb EN4UxL6gg9Tsbcc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]: The Bat! (v1.45) PersonalContent-Type: multipart/mixed; boundary=5hCX1x6e9EfOdnRfQTXZW65G3RLeJ--5hCX1x6e9EfOdnRfQTXZW65G3RLeJContent-Type: text/htmlContent-Transfer-Encoding: quoted-printableuRYXD87ccXK5GpVdIC g9D P AzLJzOSPCqQzlXW6 s7 yAgK9VT8gT U TE gf YJLZr=UMr5azdUIcKc7hWXf6 uz oZO4Lyoaulc m4 dX0qTBSxeGibqjXxv1aVKXmLh c HDiXV=gq kFW flo Qa Qn Du p kreX WHstxAhAcca3XR29 CBqoVkF5 a s OrUZA gZp=ze9Gj dXX6 fEovLXu T UPZnkql FIAu9qiMmafGpIzU My mahSoGl7o5eyfesa6 q=D 6 8GQEP J41IsdezuaFcbSvk3tBHym87JeyB99mehHoFYW JSUcGJe Hh26hPMQ61Ds1a= MnJ y73ED3 A xG9nvFH z cpp 2 q EcuNXTjm Z5iGQIyXEY zUL4cqRuZNiAf4E6so =fnb7E P Sv17eAXFhU PvZnV1LjBvWmgSrNyt9zz0 77pjx VVX4PWV KKnsxc2KSS hjI=MlP22yqnarXQ4q=3Cbr=3E=3Ca href=3D=22http=3A=2F=2Fwww=2E9MxSraHoL6Ozrn9=PqPo=2Ecom=2F=22=3E5BJsbb EN4UxL6gg9Ts=3C=2Fa=3E=3Cbr=3EOWDS3eMI phr d=R qq78kvi jbgDxMYhVgG EoT60 k1StRDP6v VXWY1VOdK5 EhdKHY5hs0 Y2pIqL kzQM=lVJ MB1L7HDPRMy Y5 jIdBprVEfyW 7 0Ds jEN4gb6Dh7F M06Ok9 P ySmflRtFF5=d V1RPv uK3JbyNIxr1nVYjWkOEjNTN 9qNbaL3z O0mYVk rCpe1Tpe5EnvEH fYdi= ei92TtXeWedGQ42m51 bJ6H ya--5hCX1x6e9EfOdnRfQTXZW65G3RLeJ--.B PP 1G 7IbyBgi8jbR 4nK n iCmOl ox0Wc bHmOf3q vBSlMJ7Imr6 OpPEL xHVMG 6GVhfPU 9 gYah I 8 50 FgqDCUV9lNB2Cb51Z0CBuMWIrqjMsYy8T9Hfb7 GrFyvzJDBDZ I FTmeHq K UEt9s XK5 5mHbMaM s60cHtc9 J qHni BI0TFf
Message-Id: <[email protected]>
Date: Wed, 04 Jun 2003 13:28:33 -0400

body: OW

DS3eMI p
hr dR qq78kvi
jbgD
xM
YhV

gG
Eo
T60 k1S
tRDP6

v V
XWY1VOdK5 EhdKHY
5hs0 Y
2pIqL kzQ
M
l
VJ MB
1
L7HDPRMy Y5 jIdB
prVEf
yW 7 0Ds j

EN4gb6D
h7
F M06Ok
9 P yS
mflRtFF
5d V1RPv uK3J
by
NIxr1
nVYj
Wk
OEjNTN 9qNbaL3z O0mYVk rCpe

1Tpe5E
nvEH fYdi ei92TtXeWedGQ42m51 bJ
6H y
a
Obviously I have changed the personal details in the email, but today I have had around 30 of these emails.

Anyone else?

cPanel.net Support Ticket Number:
 

dhost

Active Member
Nov 29, 2002
32
0
156
Weird emails

I've been getting these as well. Any idea what's happening?

cPanel.net Support Ticket Number:
 

web12

Well-Known Member
Nov 20, 2002
240
0
166
Something is weird here... I just got another batch of them through... Interestingly, they are using the same domains on the server that were used with the formmail exploit... coincidence?

Anyone got a take on this?

cPanel.net Support Ticket Number:
 

Tom Pyles

Well-Known Member
Apr 26, 2002
254
0
316
I'm thinking it a virus that is not formatting properly in the e-mail...I've seen virus' come in text format like that.

Secondly, if you are seeing it on servers that had the previous formmail script, is it possible that the spam that went out ended up someones addressbook..they get the virus and it sends back out?

Just a thought, but honestly not sure ;)

cPanel.net Support Ticket Number:
 

crush11

Registered
Feb 2, 2003
3
0
151
getting the same emails as well.. :eek:

cPanel.net Support Ticket Number:

cPanel.net Support Ticket Number:
 

Testube

Registered
Jun 8, 2003
4
0
151
SPammers!

I, too, have been getting these emails and I have forwarded several to the VO support email address. (I'd use the helpdesk, but once again I cannot get into it.)

I have a sneaky suspicion that these are attempts (hopefuly unsuccessful) of people who are trying to utilize the formmail program to send spam. I read a few other threads in these forums about it, and there was supposed to be a patch that fixed this back in March, but I have been getting these messages on and off for a few weeks now. If you pull up your webstats via Cpanel, and look at the section titled "last 300 visitors" (I think that's what it's called), you can actually match up the suspect individuals access of formmail.pl with the time that the emails were sent to you. Unortunately, it gives me no real info on who they are, although there were a few with IP addresses listed. (Maybe we can block their IP from the site..but that's only a bandaid, and if they're on dialup their IP will change each time they login anyways...)

Not sure what VO is doing to fix this, but I hope they do it soon.
I don't know enough about formmail to fix it myself. And as far as I know, disabling my online html form won't help because I think they are accessing the perl script directly.

-Jeff

cPanel.net Support Ticket Number:
 
May 19, 2003
23
0
151
I'm getting these too. I think it is because in the latest formmail fix something is screwing up the way spammers exploit the script.

The good news is that the spam isn't going out.

cPanel.net Support Ticket Number:
 

Testube

Registered
Jun 8, 2003
4
0
151
spam

Agreed.

The junkmail (albeit annoying) is better than someone sending spam via my domain and can be filtered out easy enough. Being on a virtual server, I'm not too keen on the whole weblog thing, so I wasn't sure how to tell if the spam was actually being sent or not. I just knew that I was still getting all those weird email messages.

-Jeff

cPanel.net Support Ticket Number:
 

ZachICU

Well-Known Member
Aug 11, 2001
129
0
316
I am getting this too.

Glad to see im not the only one. :)

It looks like a failed fommail exploit attempt.

Im not expert though, hoping someone can shed more light.

Thanks
Zach

cPanel.net Support Ticket Number:
 

mmkassem

Well-Known Member
Oct 21, 2002
390
0
166
Egypt
they are sent via formmail but they are not formed correctly.

cPanel.net Support Ticket Number:
 

Testube

Registered
Jun 8, 2003
4
0
151
Helpdesk working on it...

Well, I now have a helpdesk ticket number for this (see above).
I got three more of those weird messages this morning.

I wish there was something we could do to retaliate against these spammers...
something evil...
;)

haha

cPanel.net Support Ticket Number: 31596
 

web12

Well-Known Member
Nov 20, 2002
240
0
166
Not sure if this is part of the same parcel, but I found this at the bottom of the cpanel changelog...

Sun Jun 8 15:35:54 EDT 2003
6.x Build#81
---------------------------------------------------------------

more formmail fixups (non security)
---------------------------------------------------------------

cPanel.net Support Ticket Number: