Spammers Use Holes In Democrats.org Security 129
Posted
by
Soulskill
from the hello-sir-madam dept.
from the hello-sir-madam dept.
Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"
Re:Not really a hole, more like open barn door (Score:3, Informative)
I warned them in 2006. (Score:5, Informative)
None of the developers spoke up and said, "Hey, this is a really bad idea!"
In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.
In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:
http://bill.herrin.us/composer.html [herrin.us]
In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.
Re:A rookie mistake (Score:4, Informative)
Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.
For example, if you search "PHP send mail", one of first hits you get [about.com] has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!
The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!
Re:This has nothing to do with politics! (Score:3, Informative)
The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.
Re: You may not even pay for Unemployment (Score:3, Informative)
I think when I finally get back to work (probably January when managers get new budgets and fresh money), I'm going to refuse to pay the Unemployment. Why should I pay for a program that doesn't help me out when I need it?
In Michigan at least, employees don't pay for unemployment insurance, the employers do. Yes, in the end, everything comes out of our pockets in some way (i.e. they could pay you higher wages if they didn't have to pay for your unemployment insurance). However, you don't pay x% of your paycheck every week into Unemployment.