Hi all

I'm not sure if this is the place to post but I don't know where to
start! One of my customers who hosts on my RAQ has been getting strange
e-mails. It looks to me like someone trying to send a form2mail script
parameters (Bcc) to send spam. I've just changed the script to
something different and it's still happening. The new script logs the
IP address of the sender so I looked through the access log for that IP
and got the following (I added line breaks to separate the wrapped
entries):

www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:01 +0000] "GET
/manual/mod/core.html#documentroot HTTP/1.0" 404 645 "-" "-"

www.XXXXXXX.co.uk 192.146.134.129 - - [16/Nov/2005:12:47:05 +0000] "POST
/cgi-bin/FormMail.pl HTTP/1.0" 200 1123 "http://www.XXXXXXX.co.uk/" "-"

www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:21 +0000] "POST
/form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"

www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:30:49 +0000] "GET
/?cat_id=3 HTTP/1.0" 200 4191 "-" "-"

www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:31:03 +0000] "POST
/form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"

www.YYYYYYY.co.uk 192.146.134.129 - - [16/Nov/2005:16:32:07 +0000] "POST
/form2mail.php HTTP/1.0" 302 0 "http://www.YYYYYYY.co.uk/" "-"

XXXXXXX is one domain on the server
YYYYYYY is another domain on the server and the one where the customer
has complained about the weird e-mails.

Can anyone throw any light on this please? I'm guessing that the IP
address is probably fake.

Regards

Andy Jacobs

--
Andy Jacobs
www.redcatmedia.net
Intelligent Websites For Intelligent Business People