I notice there are some unusual URL requests on our site.

POST /cgi-bin/formmail.pl HTTP/1.1
POST /cgi-bin/cgiemail/email.txt HTTP/1.0
POST /cgi-bin/contact.cgi HTTP/1.0
POST /cgi-bin/mailform.pl HTTP/1.0
POST /cgi-bin/formmail.cgi HTTP/1.0

Do they try to steal email address for the spam purpose?

It's not that they want to steal your address, but more of wanting to abuse your mail server and then getting your server/domain reported for spamming and in some cases, it gets you blacklisted. The files they've been trying to find are the popular names people give them and most the time they're not secure - ie from matts script archive or something

so is it wise to rename these files and anylinked to them to "potato1.php" or some such non-generic name???

why would anyone want to get people blacklisted from their ISPs?

Is it some little geeks thinking they are cool...?

People who create malicious code or try to ruin others computers etc should be castrated!!!!!!!! :D

so is it wise to rename these files and anylinked to them to "potato1.php" or some such non-generic name???

Well, it's a start but to make it better you should make them secure, have user registration, use cookies/sessions/ip detection etc etc

why would anyone want to get people blacklisted from their ISPs?

It's either because they don't wanna get blacklisted, or they've already got blacklisted and all anti-spam software picks it up as spam

Is it some little geeks thinking they are cool...?

It's a mixture of big companies and annoying little .... :D

Our site is not a regular web site, but a web application. Most of web pages are log-in protected. None of those URLs are valid at our site. I essentially need to know what they want to do by send the url requests simultaneously from differenct IP address. I can put those IP addresses in the site block list (we already have this mechanism in place). Since the URLs are invalid to our site, we do not need to block them. I can post those IP addresses here if it will help others.

My first guess would be that those were done by a spammer who was hunting for a system to use for relaying their crap so it doesn't look like it came from them. Try tracing the IP addresses though they may be having another system they've compromised trying yours so the IP address you have may not lead directly back to the perps.