From: security curmudgeon (
Cc: Declan McCullagh (
Date: Thu, 11 Sep 2003 00:01:16 -0400 (EDT)
Subject: Daily CGI Formmail Spam Attempts 


The following IP address has been responsible for near daily attempts to
relay spam through us. My first complaints to you began before 7-21-03 and
went unanswered. The spam attempts did not stop, and I put a note in our
files blocking any SMTP traffic from that server. Almost two months later,
and this IP is still responsible for attempting to spam through us. In the
past, several complaints were bounced back to us because you failed to
maintain the appropriate IETF standard mailboxes (abuse/postmaster). Once
that was resolved, the mailboxes would routinely bounce to them being

You have been made aware of this repeatedly, to the tune of several times
a week. Not once has anyone replied or taken action. The spam
relay attempts from your network are a persistant problem that you fail to
address. It is crystal clear that supports
spammers that pay them money.

I am CCing one journalist who takes an interest in these types of issues,
and BCCing a dozen more that cover technology/security. I hate resorting
to this type of mail but you leave me no other choice. For the last time,
please deal with your customers violating the Verizon AUP. - - [10/Sep/2003:03:57:17 -0400] "GET /cgi-bin/formmail.cgi?realname=cxnrs%20rtmimb& HTTP/1.1" 403 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [10/Sep/2003:03:57:17 -0400] "GET /cgi-bin/ HTTP/1.1" 404 1883 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/FormMail.cgi?realname=gfiae%20hqddlg& HTTP/1.1" 404 1863 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/ HTTP/1.1" 404 1872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/ HTTP/1.1" 404 1836 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Past offenders. Between 03/03 and 07/03 we stopped taking
note of these probes, but the continued abuse from this specific IP
address made us take note. - (07-21-03) - (03-15-03) - (02-28-03) - (01-16-03) - (01-09-03) (01-10-03) - (01-07-03) (01-08-03) (01-11-03) (01-12-03)

main page ATTRITION feedback