Spammers Use Holes In Democrats.org Security 129
Posted
by
Soulskill
from the hello-sir-madam dept.
from the hello-sir-madam dept.
Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"
Not really a hole, more like open barn door (Score:5, Insightful)
That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"
And, last I checked, the page was still up.
Why is this tagged "politics"? (Score:2, Insightful)
This has nothing to do with politics! (Score:5, Insightful)
Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.
Re:OK, come on (Score:5, Insightful)
My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/ [employeeissues.com]
There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.
Geniuses... (Score:5, Insightful)
These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...
I bet lots of people complained. (Score:4, Insightful)
But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.
It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.
Re:Not really a hole, more like open barn door (Score:3, Insightful)
Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.
The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.
A rookie mistake (Score:5, Insightful)
Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.
The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!
No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.
My hunch is an intern did this :-)
Oh (Score:3, Insightful)
Silly me.
Re:OK, come on (Score:3, Insightful)
Re:A rookie mistake (Score:3, Insightful)
That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.
A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a useful tool, but in hands of a novice it can lead to exactly the scenario in this article and *that* makes it a poor tool.
Re:Liberals. (Score:2, Insightful)
http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html [huffingtonpost.com]
http://www.youtube.com/watch?v=f99PcP0aFNE [youtube.com]
Re:I warned them in 2006. (Score:3, Insightful)
The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.
Empathy for Dolts (Score:2, Insightful)
I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!
See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.
I feel empathy for those that you smarter people scoff at. Be kind! It wasn't for us dolts you woudn't *be* smart, you'd just be average!
Wendy Northcutt, the Darwin Awards