Suspicious form submission

Just would like to find out if anybody else has had this happen before… I rec’d an email to one of my DH accounts today which read as follows:

I use the PHP version of formmail which is available at http://www.dtheatre.com/scripts/formmail.php, and since this happended I’ve applied the version 4.2 patch Jack describes for preventing a ‘spoofing’ or ‘spamming’ problem the old script appeared to have.

The thing is, I don’t think this spoofing problem is the problem; I don’t have the formmail.php setup to send along the REMOTE HOST or BROWSER variables, nor do I have it setup to allow file submissions (OK, to my knowledge it’s not setup to do that – you can see the form(s) in question at http://www.gilkison.net/comments.html or http://genes.gilkison.net/comments.html). I’ve also searched everywhere in my file space for a “washere.txt” file, and I don’t find any.

Is this just a script kiddie trying to impress me, or could I potentially have a hole still open in the formmail.php script? (BTW, the “To:” address was actually to a valid email address at my domain, I’d just prefer not to post it if not necessary)

Well, there was in fact a few entries in my access.log about that time for the relevant page; there was a POST request for formmail.php, just as if somebody had submitted something normally, then a GET for the same thing – both of those used a relative URL – then finally a POST using a complete “http://…” url to my formmail.php. The final POST had a log time of the same time that DH initially rec’d the message, so I’d be pretty sure that’s the culprit …

Any idea what “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)” is? Especially that last “.NET” part? A Google search on that doesn’t really turn up anything useful. When I did a whois on the IP address, it belongs to a free French isp, “Tiscali France”, which doesn’t appear to be too helpful either.

I can post the relevant log section if you think it might help, unless you think I’m being overly concerned…

The biggest problem with using the canned DH formmail is that it requires you to expose certain elements in your web page, namely the recipient email – and a hidden INPUT is not going to deter somebody serious about an attack, nor a robot gathering email addresses form spam (what I’m hoping to prevent in the first place. Using a “custom” formmail let’s me control the email process a bit more to my satisfaction.

Perhaps part of the solution is, as you suggest, to remove the reference to Jack’s Formmail – it’s mainly the author’s request that you link back to him in some way as a courtesy.

The logged useragent is, I’m sure, hacked, which I know is easy enough to do with Lynx or Opera; the IE useragent text has always, to my knowledge, stopped after the operating system description (e.g., my IE has never displayed anything about .NET CLR)

Perhaps there’s a way to restrict access to formmail.php so that only the local comments.html can call it? Maybe via .htaccess ?

The .NET CLR in the user agent is nothing suspicious - I don’t know exactly what it means, but I find it in my log files all the time from normal requests.