FormMail-Trap

FORMMAIL-TRAP

FORMMAIL-TRAP 2.6 IS OUT!
Many thanks must go to the relay hunters for 6,500 probe samples on this server alone to work with! ;-)

Had quite enough of the amount of spam you receive every single day?
Want to help out making the lives of spammers miserable?
Then read on and install this tool!

FormMail is a CGI tool that allows sending e-mail using parameters provided by a HTML form.
Unfortunately, older versions of FormMail did not check the sender and recipient fields (From: and To:), thus allowing the tool to be used as an open relay.
Anyone could send e-mail to any address. Worse, all fields are easily faked, so it's impossible to find the actual source of the spam.
Also see the message on Security Focus for details: "FormMail Recipient CGI Variable Spamming Vulnerability".
This is a wellknown vulnerability that has been addressed by the authors of FormMail. However, the older versions are still widely in use on the Internet.

Spammers know this and scan the Internet on a daily basis, trying to find all sites using vulnerable FormMail versions. These will be used to relay spam at a later date.
Each relay probe by a spammer is done by trying to send a message to himself. If the message arrives at his e-mail account, there must thus be a vulnerable FormMail handler in use.

Not convinced of the seriousness yet? See the log of today's probes, or the probe history counter for this server.

WHAT THIS TOOL DOES
What this tool does, is trap probes for FormMail.
Since those probes are relay tests, the recipient address must be the e-mail address of the spammer.
Furthermore, the spammer's IP address is known at the moment of the probe.
The tool then generates an abuse message to both the ISP that this e-mail address belongs to and the ISP that the IP address belongs to.
The spammer will receive a 404 File Not Found HTTP error response.

A special feature is a honeypot.
If it was an empty probe (using method HEAD or using an empty query), just to see if you have FormMail running at all, the tool will say it does, and a vulnerable version at that. No abuse mail will be sent in this case.

PREREQUISITES
In order to use this tool, you need to

run Linux
run a website
be allowed to run (binary) CGI programs
NOT already run FormMail (unless run under a different filename)

LOGGING
All probes are logged (unless you commented out this option).
Note that the LOGFILE will be written to by the user that any script on the webserver runs as (often 'nobody'). Make sure to give permission to this user to write to the LOGFILE.
The log entries are TAB separated and the fields are as follows:

Timestamp.
(Virtual) HTTP hostname.
Request method, followed by '0' or '1' between brackets. '1' means the query was POSTed rather than PUT.
Content length, followed by '0' or '1' between brackets. '1' means that one or more break characters (NULL or EOLN) were stripped from the query.
'1' if a valid spammer e-mail address was found in the query, '0' otherwise.
'1' if an abuse message (1 or 2) were sent, '0' if no message was sent.
IP address of the spammer. If the spammer was behind a proxy server, this is the address of the proxy and it is followed by the leaf information of the proxy in square brackets.
Used reverse DNS name of the spammer IP address, or '-' if unresolvable.
ISP abuse address for the spammer's e-mail address, or '-' if unknown.
ISP abuse address for the spammer's IP address, or '-' if unknown or the same as the previous field.
Full probe URI.
If a POSTed query, the full query, otherwise '-'.

COMMAND LINE
You can run the compiled binary on the command line for debugging purposes when adding additional signatures if you find the e-mail recipient's (collector's) abuse address wasn't found.
It's easiest to use the log output for it (field 12).
The command line is then
./formmail.cgi -t "string"
where "string" is the query you wish to test (log field 12).
The output generated is the decoding result and its finds.

CHANGE LOG

2.2

Better checks for valid e-mail adresses
Favour 'recipient' over 'email' (as before 2.1)
Added reverse DNS lookups (__LOCAL_RESOLVE__)
Added honeypot (__USE_HONEYPOT__)

2.3

Removed the config defines SERVER_IPADDR and SERVER_HOSTNAM, to use the webserver environment variables SERVER_ADDR and SERVER_NAME instead, to better suit webservers with multiple sites
Added check for HTTP_CLIENT_IP in proxy variables as well (similar to HTTP_X_FORWARDED_FOR)
The HONEYPOT will now throw out a complete formmail HTML form page, redirected back to itself
If the IP address doesn't resolve, but the user is behind a proxy that tells, that address is used instead

2.4

Use 'fread' rather than 'fgets' to fetch POSTed query strings
Remove NULL/EOLN bytes from the query string
Provide vulnerable version number information in the honeypot (v1.6)
Skip reverse DNS records ending with 'in-addr.arpa' (who is 'abuse@in-addr.arpa' anyway? ;-)
Added log option (__USE_LOG__ and LOGFILE)
Better overall abuse message text, giving the ISP a bit more information about this vulnerability

2.5

Accept e-mail conversions 'address(name)'
Decode relay conversion 'username%domain@relay'
If multiple addresses are given (separated with commas), pick just the first one

2.6

Generate (e-mail) timestamps valid to the RFCs
Set abuse-addresses for RFC challenged ISPs from domain list (hardcoded for the moment)
Check for injected SMTP directives that hide the spammer's address from the form data ('RCPT TO:', 'BCC:' and 'TO:')
Don't send abuse messages to abuse@self in case decoding fails to detect the proper spammer's address and we only find ourselves spoofed.
Command line option to test ("-t") for the spammer mail address from a provided POSTed query string (e.g. from the log)

DOWNLOAD

Download FormMail-trap v2.6

FormMail-trap is brought to you, licenced under the GPL, by Martijn van der Heide of ThunderWare Research Center.