Verizon banned from accessing Attrition.org

Sat Sep 27 03:20:33 EDT 2003

This page is intended to explain why Attrition.org is now blocking all traffic from dsl-verizon.net on port 25 (smtp) and port 80 (http). This page is intended for any *verizon.net customers having problems reaching this site, as well as anyone else that feels large ISPs should be held accountable for their users and actions. I encourage everyone to view the material here and block Verizon on the sites they run.

Understanding "formmail" abuse

As outlined on Rick's Spam Digest:

One of the features that many folks like to put on their websites is the feedback (or "mailback") form. Simple CGI programs (often Perl scripts) power most such features, which collect messages from website visitors and mail then back to the website proprietor. One of the more popular of these programs is called "formmail," but there are lots of others out there.

Indeed, for purposes of avoiding spam, the use of a feedback form by a website operator is an excellent idea which I discuss elsewhere. Unfortunately, however, these programs are sometimes vulnerable to being hijacked by spammers, who can use them to bypass the usual hassle of finding open relay hosts. A further advantage for the spammer is that, unlike "regular" e-mails, mailback submissions usually can't be traced back to the submitters in any way (unless the operator of the script has saved the IP address of the user who initiated the mailing).

Each day Attrition staff monitors certain activity on the machine indicative of a problem. One of these is the attempts to access various "formmail" programs due to vulnerabilities/weaknesses that make it a popular target of spammers, even though we do not use them for our web pages. Each time someone attempts to use the formmail programs on Attrition, they will get an error indicating the program is there (200) due to our dummy files, or that the program is not there (404) if they try it on various URLs. Either way, the real test of the formmail program for a spammer seeking a site they can use is to receive the test mail back at their email address. In every case this test failed since there are no working formmail scripts on Attrition. I mention this because after a few failures, you'd think an intelligent spammer (oxymoron?) would move on. Not the case with Verizon customers.

Verizon's Acceptable Use Policy prohibits this behavior

Reading the Acceptable Use Policy (AUP) at Verizon's site, it clearly outlines that probing other systems for such weaknesses is prohibited. Further, the goal of finding such formmail scripts is to gain the ability to send out large quantities of e-mail (aka Spam) that are difficult to trace back to the spammer.

3. You may NOT use the Service as follows: (a) for any unlawful, improper or illegal purpose or activity;

(c) to access or attempt to access the accounts of others, to spoof or attempt to spoof the URL or DNS or IP addresses of Verizon or any other entity, or to attempt to penetrate or penetrate security measures of Verizon or other entities' systems ("hacking") whether or not the intrusion results in corruption or loss of data; (d) to bombard individuals or newsgroups with uninvited communications, data or information, or other similar activities, including but not limited to "spamming", "flaming" or denial or distributed denial of service attacks; (e) to transmit unsolicited voluminous emails (for example, spamming) or to intercept, interfere with or redirect email intended for third parties using the Service;

Any responsible ISP that is presented with evidence (logs) showing their customer violating their posted policy, will act on it. This typically results in a warning for the user, cancellation of service, or reporting to the proper authorities in some cases. ISP's that do nothing essentially harbor these users, which in some case extends to harboring criminal activity.

Ongoing problem

The formmail probes originating from dsl-verizon.net have been going on for some time. The first day in 2003 that we noticed such probes was on Jan 01. Since that day, the probes have come in consistantly with no signs of letting up. Even as I write this page, the probes continue.

lsanca2-ar34-4-62-255-014.lsanca2.dsl-verizon.net - - [30/Jan/2003:21:07:36 -0500] "GET /cgi-bin/formmail.pl?email=Checkit%40attrition%2Eorg&recipient=foxcid%40hotmail%2Ecom& subject=www%2Eattrition%2Eorg%2Fcgi%2Dbin%2Fformmail%2Epl%3F&msg=www%2Eattrition%2Eorg %2Fcgi%2Dbin%2Fformmail%2Epl%3F HTTP/1.1" 200 647 "-" "Gozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; Windows 2000)"

lsanca2-ar36-4-63-166-246.lsanca2.dsl-verizon.net - - [27/Sep/2003:05:14:45 -0400] "GET /cgi-bin/formmail/formmail.cgi?realname=gtbxp%20ghrgip&recipient=piscesali@aol.com&email= WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/formmail/formmail.cgi&message= uelfy%20mxwkbkdfsfk%20hqpalyusxgn%20ysxigv HTTP/1.1" 404 1840 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

It's not just us

One might argue this could be an isolated event. A web search turned up an excellent page at softwolves.pp.se that also documents these types of abuses. Not only do they find this activity coming from the same ISP (dsl-verizon.net), but the same subnet and the same IPs. Quoted from their page:

Going through my logs I started noticing that there were quite a lot of requests for a script that is not available on my servere, namely /cgi-bin/formmail.cgi (and variations thereof). A closer investigation showed that these requests come from spammers who try to figure out where they can find formmail scripts with security holes that allow them to send their junk mail by stealing other people's bandwidth and services.

Of particular interest are log entries from this page showing these probes dating back at least three months from the same IP addresses. Their logs also show that formmail abusers originating from dsl-verizon.net go back as far as 2002. Below are a couple of the entries showing that they can come from different IP addresses on the same subnet, presumably when the customer reconnects and receives a different IP address from the pool.

Notifying Verizon of the problem

According to RFC 2142, all domains should maintain an "abuse" account or mail alias to receive complaints of "Inappropriate public behaviour".

Due to the amount of spam Attrition receives, and due to the diversity of probes, we can not devote the time to complain about each incident. Typically, if the same event or origin is noticed it will stick in the back of our minds, and help increase the chance we will contact the offending provider. In this case, complaint mail was sent around May or June but not saved. It was assumed that once the problem was identified, Verizon would do the right thing and put an end to it. Months later we notice the same probes almost every single day. Recently, I began keeping a copy of the mail sent in case it came to this. It did.

I contacted abuse@ each time, often sending the mail to additional addresses such as legal@ or postmaster@. Around Sep 11, I began CC'ing the only NIC contact address associated with verizon.net and dsl-verizon.net (christian.andersen@verizon.com) which yielded nothing.

Verizon's (lack of) Response

The most troubling part of this whole incident (and entire reason you are reading this page), is Verizon's lack of handling the problem. After countless complaints, after involving journalists who may have brought this to public light, and after continued abuse, Verizon has done absolutely nothing about it. We have not received a single reply from any contact address. We have not received any indication they are investigating the problem or looking for a way to resolve it. In fact, some mail we send hasn't even reached them due to their abuse contact mail boxes being over quota! How can a company with $67,000,000,000.00 in 2002 revenues not find a way to purchase a $50.00 hard drive to store incoming mail?!

Attrition's Response

As of the posting of this article, Attrition will effectively ban all traffic from *verizon.net to Attrition.org, specifically port 25 (smtp) and port 80 (http). While this may seem like a trivial response or a nuissance to innocent users, it is our only course of action left. If other legitimate users of Verizon are affected, they can contact their provider and make them aware that Verizon's lack of action/response is affecting their users. They are paying customers, we'd hope their complaints are heard since ours are not. To the current Verizon customers subscribed to the mail lists we host, we apologize for the inconvenience. Feel free to subscribe from a hotmail/hushmail/yahoo type mail address to keep receiving mail list traffic.

List of dsl-verizon.net IP space
main page ATTRITION feedback