One of my clients got a TOS notice today for sending spam. The client couldn't have done it because it doesn't even know about that email address.
Someone has hacked the username/password on the account.

I have changed the password to stop them but wanted to know if there is more I can or should do. IT seems like there should be more.
I can't delete that username it appears. OPS doesn't give me that option. I created a new user thinking I could switch to that user and delete the old name but no go.

Any ideas here?

I don't want my client to get tossed for spam which they aren't sending.

Thanks in advance.

I just checked the server logs and it appears that what happened is someone has gone to the website and used the form there to post information back to my client to send email.
168.167.222.201 - - [16/Jan/2004:01:15:26 -0800] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 1593 "http://www.discovermauiproperty.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
66.139.102.230 - - [16/Jan/2004:01:35:46 -0800] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 1653 "http://www.discovermauiproperty.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
193.112.25.3 - - [16/Jan/2004:01:40:29 -0800] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 1642 "http://www.discovermauiproperty.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
64.175.137.59 - - [16/Jan/2004:01:42:28 -0800] "POST /cgi-bin/formmail.pl HTTP/1.0" 200 1591 "http://www.discovermauiproperty.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"
218.44.224.100 - - [16/Jan/2004:01:44:57 -0800] "POST /cgi-bin/formmail.pl HTTP/1.1" 200 1338 "http://www.discovermauiproperty.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AIRF; .NET CLR 1.0.3705)"


As you can see they used a different IP address each time.

Any thoughts on this?

Thanks.

Larry

Search these forums for the word "formmail". This script is notoriously insecure. I'm not sure whether the fix is to update to the latest version, or use a different script.

If this is where you have the formmail script installed "/cgi-bin/formmail.pl" then you are just asking for problems.

You should never install it straight to the cgi-bin, nor should you leave it named formmail.pl.

Install it into a directory within the cgi-bin and use a unique name for the directory and .pl files. Something like "/cgi-bin/skittle/skittle.pl".

Spammers are always looking for people who leave their formmail scripts open for abuse. Looks like this is what happened here.

Thanks,
I had just found the problem. It is a script hack on formmail.

I just grabbed the new version that one is years old.

Warning to all out there.

If you are using a version of formmail.pl earlier than 1.92 you are in for the same hack...

thanks again.

<L>

Yes sir...had it happen to me. It may take a few minutes...but well worth of to keep from getting black-listed from email providers.

It is still worth following (jj)'s advice.

I am following jj's advice and moving the file, renaming it also.

I am editing the latest version at this moment.

Thanks all!