About once a week: "Why is our outbound bandwidth saturated? Oh, look! A new FormMail exploit!"

I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:

* The script accepted a form POST and decoded it.

* It opened a pipe to sendmail.

* It wrote the expected SMTP headers to sendmail's stdin.

* Then it wrote the decoded POST body as-is into sendmail's stdin.

Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:

  Blah blah
  
  .
  
  
  To: [1,000 email addresses]
  From: root@localhost
  Subject: LOL spam
  
  Haha suckers

That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.

We learned that one the fun way.