Posted on by Martin

Spam update

Tech support at EZPublishing are the best. After a couple of emails back and forth to describe the situation with spammers abusing the sunpig.com domain, they have now put a redirect in place, so that anyone trying to use formmail.pl on our site will get an HTTP 404 error. (I couldn’t set up this redirect myself, because EZPublishing use some kind of virtual addressing to route every domain on this particular server to a single cgi-bin directory. My own .htaccess file gets processed after whatever redirection happens at the server level, and so putting a redirect in there was ineffective.)

Thanks guys.

I’ll be keeping a close eye on the server logs for a while, so see what happens. If you’re interested, you can have a wee peek at a snippet of the raw server log here. Note how each access to formmail.pl seems to come from a different IP address. And they all have the same (at the time non-existent) referer page: contact.htm.

Judging by this evidence, here are some guesses about what’s happening:

  • Somewhere, there is a single computer running a program.
  • This program systematically, or at random, builds up a list of available domains on the internet. Sunpig.com is just one of millions.
  • The program sends HTTP requests to these domains, probing likely locations for scripts, e.g. “/cgi-bin/formmail.pl”. The program will spoof its IP address so that the requests are more difficult to track back to the computer running it.
  • When they get an HTTP error code back (e.g. HTTP 404 – page not found, or HTTP 403 – forbidden), they know the mailer script isn’t available. On the other hand, if they get an HTTP 200 – OK return code, then they’ve hit pay dirt: the script exists on the domain, and they can get through to it.
  • (There may be a step here that parses the results page that comes back, but maybe not. The program could check the HTML that has been transmited back to see what the version of the mailer script is, and whether it allows external users to abuse it.)
  • The program gradually builds up a database of domains and the mailer scripts on them.
  • Through other nefarious means, the spammer has also built up a list of email addresses.
  • The spammer writes the message they want to send: “Free Viagra with every University Diploma bought–and hand-delivered to you by hot XXX Jennie3851 (check out my webcam!)”, and feeds this into the program.
  • The program then tries to send the message to as many email addresses as possible, via its list of available mailer scripts.
  • And here’s the kicker: when it sends the message via a domain (say, sunpig.com), it adapts the text of the message to say that if you want to unsubscribe from the list, please go to a page on the hi-jacked domain (say, http://www.sunpig.com/contact.htm).

And there you have it. The person receiving the spam sees a message in their inbox that has apparently come from someone at sunpig.com, telling them that if they want to unsubscribe, they should contact me. If they want to trace back the email, they will find that it genuinely did originate from sunpig.com.

The person who originated the message is hidden from the email trace. The only way to track them down is for the domain or server owner to track the spammers back through the HTTP logs. But the IP headers were spoofed, and the HTTP log doesn’t hold the full IP trace, so it’s harder for us to do that.

I could be wrong about all of this, of course. But it certaily seems to fit the evidence.