PDA

View Full Version : Insecure form?

Datarella
5-4-02, 03:03 PM
Among the usual dozen or so spams I received this morning, one was the "Below is the result of your feedback form" type. Paired with each "to" recipient was an address at mail2.powweb.com (in the format www.domainname.com@mail2.powweb.com).

I'm not sure how this works -- could it mean that the insecure mail form script is hosted on powweb somewhere? I saved this in case anyone wants to see the headers, but it's a bit long to post here.
MannInc
5-4-02, 05:07 PM
Well, mailforms themselves are insecure by nature, as they don't check to see if they exist, but rather that they're in the proper format.
Datarella
5-4-02, 10:31 PM
Right, I know. It was just unusual to see that every single "To" address had that powweb line under it.
MannInc
5-4-02, 10:42 PM
Try viewing All headers and you'll see three recieved lines. The bottom one shows you the true location that email was sent from.

Hope this helps!
Datarella
5-6-02, 03:26 AM
I know that...it's not FROM a powweb address. This is not a big deal...just kind of curious, because I haven't seen anything that looked like this before.. Here are the headers:

From: Apache <apache@vs1.beepweb.net>
To: <removed>
X-Auth-No:
Return-Path: <apache@vs1.beepweb.net>
Received: from mail2.powweb.com not authenticated [64.63.125.223]
by smtp-send.myrealbox.com with Novell NIMS $Revision: 2.88.1.1 $ on Novell NetWare;
Sat, 04 May 2002 07:57:31 -0600
Received: from vs1.beepweb.net (unknown [195.13.108.19])
by mail2.powweb.com (Postfix) with ESMTP id 2B66123453
for <info@ubug.com>; Sat, 4 May 2002 06:57:33 -0700 (PDT)
Received: (from apache@localhost)
by vs1.beepweb.net (8.11.2/8.11.2) id g44DvkV06557;
Sat, 4 May 2002 14:57:46 +0100
Date: Sat, 4 May 2002 14:57:46 +0100
Message-Id: <200205041357.g44DvkV06557@vs1.beepweb.net>
Delivery-Date: Sat, 4 May 2002 10:56:17
X-Account: Ubug default
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Status: RF
MannInc
5-6-02, 01:05 PM
I removed the addresses from the TO: section, just in case some of the addresses are real. Those were all in the TO: section, which is simply whatever you wish to enter. Looked to me like the sender, someone sending from their home computer (from apache@localhost) trying to spam PowWeb.

I don't think they used your form.