Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Spamalot' Subscribers to Get Spam ... a Lot

Posted by timothy on from the don't-make-such-a-fuss-I'll-take-yours-I-love-it dept.

CrazyWingman writes "It looks like the list of e-mail addresses subscribed to the lists for the Broadway show 'Spamalot' has been nabbed by spammers. The New York Times is reporting that the list was posted on a page that could be found by looking at the source of other Spamalot webpages. All I have to say is that I hope the creators of the Spamalot website have been sacked."

6 of 123 comments (clear)

  1. Reg-free link by Shachaf · · Score: 5, Informative

    Registration free link
    Generated using the New York Times Link Generator.

  2. Ripped! by Anonymous Coward · · Score: 5, Informative

    "Spamalot" fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. "Movin' Out" devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

    Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

    Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y.

    Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more." He said that a message would be sent to the list with a warning about fraudulent e-mail messages.

    Mark Wilkie, a software engineer who maintains Web sites for Gawker Media, said the ability to view the data must have been built into the sign-up software, but it was not clear why someone would do this. "Security-wise, it's a horrible thing to do," he said.

    Aaron Meier, a spokesman for Monty Python's "Spamalot," said yesterday that the show would have no comment.

    When told by e-mail message about the breach, several people who had signed up for the "Spamalot" list said they were unsurprised, given the state of Internet security and the aggressiveness of spammers. Several noted that there was something appropriately Pythonesque about the incident. After all, Internet historians say that the use of the word spam to refer to junk e-mail messages has its roots in a 1970 Monty Python sketch, in which all conversation in a cafe is drowned out by a group of Vikings chanting the word over and over. The sketch and its song about Spam, the meat product, were adapted for the new musical.

    "Are you sure they didn't do it on purpose?" joked one list subscriber, Matthew J. H. Baya of Ellsworth, Me. "Talk about guerrilla marketing."

  3. "To be spammed..." by ornil · · Score: 5, Informative

    If you RTFA, you'd notice that in fact the mailing list subscribers were not spammed. Whoever noticed the security hole was not a spammer, reported it, and the hole was plugged. So, yes, maybe it's funny, but they really were not spammed, which spoils the story.

  4. Web designer's resume... by Saeed+al-Sahaf · · Score: 3, Informative

    http://www.carapacearts.com/mark_stevenson.htm

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  5. Re:Anyone got the copy of the article? by shadowsurfr1 · · Score: 3, Informative

    And for other websites, use BugMeNot, the firefox extension. Quite helpful.

  6. Re:Boy... by macmastery · · Score: 2, Informative

    Actually, this reporter contacted me for this story. When I heard that site had a problem, I went to check it out for myself. What I found was that the contact form action URL entered on its own would display all of the nearly 20,000 name, postal and email addresses.

    The bug I saw in action is fixed now, but if you select the whole contents of the page, there is still some strange if innocuous text showing there.

    Since I used a unique email address for this site, I have been checking to see if I got any spam to that address. I haven't had any in the last few days, since I started checking the "to" address.

    Note that spamalot.com is a different site.