Citazione
Dear XXXXX Abuse Department:
I am writing to notify you that a computer on your network, identified through the RIPE web site and other WHOIS sources, may have been compromised and used in an attempt to exploit my Formmail script to send spam through my server.
Our script is set up to report the source IP address in the output e-mail each time the form is filled out. The output e-mail is forwarded below, and the remote address record shows that the attack originated from IP address [XX.XX.XX.XXX].
Relevant excerpts from our access log:
XX.XX.XX.XX - - [16/Dec/2009:21:38:18 -0500] "GET /Oform.html HTTP/1.1" 200 9480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
XX.XX.XX.XX - - [16/Dec/2009:21:38:19 -0500] "POST /formmail.php HTTP/1.1" 302 - "http://www.nanoprobes.com/Oform.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
XX.XX.XX.XX - - [16/Dec/2009:21:38:23 -0500] "GET /Othanks.html HTTP/1.1" 200 2286 "http://www.nanoprobes.com/Oform.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Our script output notification message is pasted below, showing the IP address from which the abuse occurred in the REMOTE_ADDR line.
This type of attack is frequently made using an unsecured, compromised proxy server. Please make sure that this machine - and any similar servers in your network - are secured, and take steps to prevent any further abuse. If this attack is the result of a virus, worm or trojan, or an exploit carried out without the user's knowledge, we request that you take action to make sure they have full and current anti-virus software, security protections and system patches in place to protect against these threats. If you find they are deliberately sending spam or conducting script abuse, please remove them from your servers.
Thank you for your consideration,
XXXXXXXXXXXX
Web Site Administrator