Have you recently received spam which appears to have been sent by an
innocent third party's computer, and in which the spammer's message is
surrounded by lines of hyphens and/or says that it's the content of a "feedback
form?" If so, the spam probably came from a spammer-turned-hacker who exploited
a bug in a CGI script called FormMail.
For years, a programmer named Matt Wright has generously shared his CGI
scripts--small programs that cause a Web page to respond to a user's input. One
of his most popular creations is a Perl script called formmail.pl, which allows
surfers to send e-mail to the operator of a Web site via an Internet form.
Unfortunately, early versions of formmail.pl are not secure. If they are sent
an altered form instead of the one posted on the Web site, they cause the Web
server on which they run to send mail not just to the owner of the site but to
any number of other addresses. Spammers have discovered this flaw and have
created automatic tools that scan Web servers for the vulnerable script. If a
flawed version of FormMail is found, the spammer's computer uses it to
distribute spam far and wide.
If you're a Webmaster, you can recognize when spammers are probing your
system for the vulnerability by looking for log entries containing the strings
"formmail.pl" or "formmail.cgi". If your system is using one of the old,
insecure versions of the script, and you see requests whose URLs contain foreign
addresses (e.g. "&firstname.lastname@example.org"), you can be sure that your
server is being exploited to send spam. To close the hole, upgrade to the latest
version of the FormMail script.