[Techtalk] help! what kind of hack is this?

Kai MacTane kmactane at GothPunk.com
Sun May 25 18:10:02 EST 2003

At 5/25/03 05:50 PM , Carla Schroder wrote:
>Hi all,
>I keep getting these odd messages in my inbox- there are absolutely no forms
>on bratgrrl.com, and I certainly wouldn't use the notoriously insecure Matt
>Wright's scripts anyway. Anyone know what this means?

This is a really weird message. The X-Originating-IP: header is usually a 
Hotmail thing, although there's no reason anyone else can't use one as 
well. The IP address listed in that header doesn't have a reverse lookup, 
but it doesn't match bratgrrl.com's at all.

The Return-Path: and Message-ID: headers indicate that this message 
actually got its start on janus.affordablehost.com, not on bratgrrl.com.

I think the X-Script-URL: header is probably falsified.

>Return-Path: <postmaster at janus.affordablehost.com>
>Delivered-To: none at bratgrrl.com
>Received: (qmail 10390 invoked by uid 48); 25 May 2003 23:29:02 -0000
>Date: 25 May 2003 23:29:02 -0000
>Message-ID: <20030525232902.10389.qmail at janus.affordablehost.com>
>To: none at bratgrrl.com
>From: none at bratgrrl.com ()
>Subject: Ignore to: Spankysparade at o2.pl
>BEGINABCDFORMMAILbratgrrl.com/cgi-bin/formmail.plTSTSendMailTSTENDABCD .
>X-Generated-By: Matt Wright's FormMail.pl v1.9s-p7
>X-Script-URL: http://bratgrrl.com:80/cgi-bin/formmail.pl
>X-Originating-IP: []
>Status: R
>X-Status: N
>Below is the result of your feedback form.  It was submitted by
>  (none at bratgrrl.com) on Sunday, May 25, 2003 at 19:29:02
>[Form contents removed by Kai MacTane for total pointlessness.]

