What can you trust?


#1

HAS ANYONE EVER RECEIVED THIS EMAIL, OR IS THAT A VIRUS IN DISGUISE? SHOULD I FOLLOW THESE DIRECTIONS? CAN ANYONE ADVISE ME ABOUT THIS?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have located a form to mail script written by Matt Wright (version
1.5, 1.6 or 1.7) on one of your sites. This script can be abused to
send large amounts of spam from our network. We’ve already made several
announcements about this vulnerability in the past.

Please upgrade or disable the script within 24 hours, as I will be going
through and disabling all of these scripts tomorrow. Renaming the
file(s) is not acceptable - you must either remove it, or make it
non-executable (chmod -x filename). If you’re not sure where the file(s)
in question are located, please type (from the command line):

find . -iname formmail* -ls (from your home directory).

Please:

  1. Upgrade the script before changing the permissions back, or
  2. Disable the script completely. This does not mean renaming it - you
    must leave it non-executable and / or remove it completely. or
  3. Switch to our formmail script at http://formmail.dreamhost.com/

There’s a revision of version 1.9, which has been patched against
security holes at:

ftp://ftp.monkeys.com/pub/formmail/1.9s/

Alternatively, you might wish to use the script we’re using a modified
version of. It’s intended as a drop in replacement for the original
script, but is written better (and recommended by Matt Wright, author of
the most commonly used / abused formmail script. This can be found at:

http://nms-cgi.sourceforge.net/

Lastly, please note that this type of script is designed to send
information and not credit card information (or other sensitive data).
You should not use such a script to receive sensitive information via
unencrypted email, even if (especially if) the script is located on a
secure server.

Please write abuse@dreamhost.com (along with your machine username) if you
don’t know where the problem scripts are located or if you have any additional
questions or concerns.


William Yardley
Dreamhost Abuse Team
abuse@dreamhost.com / http://www.dreamhost.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: public key: http://dreamhost.com/pgp/william.asc

iD8DBQE9ascQswHW5vg5XAIRAgZpAJ4ut+K6ROmnQcIeCvp/y2ykgDJzlwCeNclv
xxLqXGnxG7mgXe0IQO+5Kpc=
=sKM8
-----END PGP SIGNATURE-----


#2

I also received this and am panicing, I have tons of forms on my domain. I have written to find out what it’s about, hopefully I won’t have to change all my forms. Will let you know what I find out if you like?

PS. Do you understand what it is they are asking us to do to fix our forms, cause I’m lost?


#3

It was a warning that was meant to be sent out legitimacy to users who were running insecure copies of the script “formail” on their accounts. However, it seems the announcement got sent to a wide number of users including those who do not have formail installed locally.

Here’s the follow-up posting to validate this:

[code]The following is a Action Required announcement, sent 2002-08-26 18:30:28.


Somehow an announcement targeted to a small group of users was
inadvertently sent to a large group of users. We’re very sorry for any
inconvenience / annoyance.

If you don’t have such a script, please disregard the announcement.


[/code]If you do have formail installed, then I’d strongly advise you to take the advice provided by Will in the first email.

This only concerns people who have downloaded and installed “formail” from Matt’s Script Archive or other sites.

If you are using the formail script provided from Dreamhost at formail.newdream.net then you do not need to worry and you do not need to change anything.

I believe this action was taken by Will to help us all improve security on the web servers, for all of us. It’s a very welcomed move, as formail is known to be a very buggy script at best, and is often used by spammers to relay messages through servers.

Hope this helps.

  • wil

#4

Yeah - sorry all about the deluge of email. As you can imagine, my yesterday was pretty terrible (as is today) – responding to all the thousands (literally) of responses.

Will (not-so-smarty-pants apparently)


#5

[quote](not-so-smarty-pants apparently)

[/quote]

It looks as if the “Abuse” Team has received some as well as dishing it out! :slight_smile:


#6

[quote]It looks as if the “Abuse” Team has received some as
well as dishing it out!

[/quote]

Heh - you’d be surprised.

I don’t know about Will, but receiving death threats from a disabled spammer isn’t fun. Abuse Team work can be somewhat stressful at times. :expressionless:

…at least we have thousands of nice, non-threatening customers to interact with, though. :>

  • Jeff @ DreamHost
  • DH Discussion Forum Admin

#7

snarl