Examining an Automated Spam Tool

Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."

Spammers know what they're doing

[bigberk]

Spam is profitable, and this is becoming a huge underground business. Spammers regularly compromise other systems and install sophisticated software to allow easier spamming. Here's a document that describes the link between spam and viruses

Re:(Slightly OT) Apache R00ted??

[SuiteSisterMary]

No, and apache didn't get rooted, either. A poorly written PHP script did.

spamtools

[AeiwiMaster]

Hi

I have made an eigenpoll
to find the best spamtools.

First ranking the tools you know,
the it runs some data minning and find the best tool.

Right now the list looks like.

sa-exim
Outclass
Mail Scanner
spamprobe
POPFile
SpamBayes
SpamAssass in
Vipul's Razor
Blackmail
bogofilter
Infinospam
Spamthis
Shovel
SpamBouncer
Declude JunkMail
spamhole

how to fix the problem

[Brandon+T.]

You can fix this problem by catching attempts to modify the $GEEKLOG_DIR file via get or post methods at the top of the gallery/classes/geeklog/User.php file. Insert this line:

if (isset($_GET['GEEKLOG_DIR']) ||
isset($_POST['GEEKLOG_DIR'])||
isset($_SESSION['GEEKLOG_DIR']))
die('nice try buddy.');
}

The $GEEKLOG_DIR variable is actually set at the end of the gallery init file, so it should not be coming from any other directories. This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.