go to your website logs - they'll pop right out at you... especially if he was sending a lot because you'll see them all lined up together. If you have aa copy of any of the spam messages, pick something in it and then do a search in the logs for that particular item. Otherwise, just pull up the log for any of the days that the spam was sent and then start scrolling thru it. You can scroll fast because like I said, they will jump right out at you because they'll be a lot different than the rest of the items in the log.
Or.... zip up a couple of the logs, and I'll do it for you. send them to my email addesss. -pat- ----- Original Message ----- From: "Chandni D" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 14, 2003 7:46 AM Subject: Re: [IMail Forum] Mail being relayed despite 'Relay for IP Addresses' > Makes a lot of sense. How does one confirm the same, and also, which form > was being used? > > At 09:05 PM 8/13/03 -0500, you wrote: > >Your web site probably has a form where people fill stuff out, and then that > >data gets emailed. The email gets accepted because you have that servers ip > >address in your "allow list". If that's the case, it's can be very simple > >for a spammer to use your form processor to send out his garbage. > > > >Essentially, the spammer views the source of the form, and sees what cgi > >you'll be using to process the form data. If he sees a "setable" "to" in > >the form, then he has got you. Consider the following: > > > ><form name="comments" action="cgi_bin/mycgi.pl" method="post"> > ><input type="text" name="from" value=""> > ><input type="text" name="comment" value=""> > ><input type="hidden" name="sendto" value="[EMAIL PROTECTED]"> > ><input type="submit" value="Send it"> > ></form> > > > >All the spammer needs to do is to create his own form, on his server (even > >his home pc), that does the following: > > > ><form name="comments" action="http://yourhost.com/cgi_bin/mycgi.pl"; > >method="post"> > ><input type="hidden" name="from" value="any address he wants"> > ><input type="hidden" name="comment" value="his complete spam message"> > ><input type="hidden" name="sendto" value="each of the people that he wants > >to spam"> > ><input type="submit" value="sendit"> > ></form> > > > >He can write a script to automate the whole process and bingo, he's spamming > >thru your "relay for these addresses". > > > >Understand?? If not, post your form data, including the "post" to the cgi, > >and I'll make a qwik script to show it working. > > > >btw: The solution is to put the "to" variable inside the actual cgi where > >it cannot be overwritten or, add a var in your cgi that queries the senders > >IP address and reject for any not in your ip address list. > > > >My explanation might be a bit confusing... if so, do a google search on > >"formmail exploits", you'll see how it works. > > > >-pat- > > > > > > > ----- Original Message ----- > > > From: "Chandni D" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, August 13, 2003 10:41 AM > > > Subject: [IMail Forum] Mail being relayed despite 'Relay for IP Addresses' > > > > > > > > > > We had the 'Relay for IP Addresses' option on for IMAil, to enable us to > > > be > > > > able to send mails origination from the webbased forms on our websites. > > > The > > > > IP addresses specified was that of the web server where the sites are > > > > hosted. Lately we noticed a huge amount of relay happening through our > > > > IMail, and so we switched to the 'No Relay' . This has stopped the > >relay. > > > > But what remains unexplained is how was mail being relayed, if the > >option > > > > was 'Relay for IP Addresses' . Is there some loophole? Need some answers > > > > as, 'No Relay' cannot be a permanent solution for us. Nee to switch back > > > to > > > > a ''Relay for IP Addresses'', to enable the email traffic originating > >from > > > > our sites. > > > > > > > > Chandni > > > > > > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
