Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Spamalot' Subscribers to Get Spam ... a Lot

Posted by timothy on from the don't-make-such-a-fuss-I'll-take-yours-I-love-it dept.

CrazyWingman writes "It looks like the list of e-mail addresses subscribed to the lists for the Broadway show 'Spamalot' has been nabbed by spammers. The New York Times is reporting that the list was posted on a page that could be found by looking at the source of other Spamalot webpages. All I have to say is that I hope the creators of the Spamalot website have been sacked."

36 of 123 comments (clear)

  1. Boy... by Rolling_Go · · Score: 5, Funny

    Who didn't see THAT one coming?

    --
    sup
    1. Re:Boy... by Anonymous Coward · · Score: 2, Funny

      You missed the joke here, that was :
      - "Who expected that ?"
      - "NOBODY expects the Spanish Inquisition !"

    2. Re:Boy... by macmastery · · Score: 2, Informative

      Actually, this reporter contacted me for this story. When I heard that site had a problem, I went to check it out for myself. What I found was that the contact form action URL entered on its own would display all of the nearly 20,000 name, postal and email addresses.

      The bug I saw in action is fixed now, but if you select the whole contents of the page, there is still some strange if innocuous text showing there.

      Since I used a unique email address for this site, I have been checking to see if I got any spam to that address. I haven't had any in the last few days, since I started checking the "to" address.

      Note that spamalot.com is a different site.

    3. Re:Boy... by Pig+Hogger · · Score: 2, Funny
      - "NOBODY expects the Spanish Inquisition !"
      Er, you got it wrong. it's:
      - "NOBODY expects the Spammish Inquisition !"
  2. That does it. by AtariAmarok · · Score: 4, Funny

    That does it. I'm going to sign up at www.freemoneyalot.com If it works like www.spamalot.com does, I'll be on the gravy train!

    --
    Don't blame Durga. I voted for Centauri.
  3. Camelot! by blackholepcs · · Score: 4, Funny

    It's only a model.

    --
    Halitosis - (n.) Halle Berry's Camel Toe.
  4. Ahhhh.... irony by GPLDAN · · Score: 4, Funny

    It's a bitch. Is this poetic or ironic justice?

    1. Re:Ahhhh.... irony by brilinux · · Score: 3, Interesting
      I actually saw Spamalot on Monday, and I must say that it was rather funny. It opens this coming week, I believe, and I recommend that anyone who is not French, Finnish, Jewish, or Gay goes to see it, or, if (s)he is a member of one of those groups, that (s)he have a very good sence of humour. It was quite a good show, though, and a lot of fun to see.

      And, John Lithgow was sitting five rows in front of me. He has a bald spot on the back of his head.

  5. Reg-free link by Shachaf · · Score: 5, Informative

    Registration free link
    Generated using the New York Times Link Generator.

  6. Ripped! by Anonymous Coward · · Score: 5, Informative

    "Spamalot" fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. "Movin' Out" devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

    Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

    Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y.

    Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more." He said that a message would be sent to the list with a warning about fraudulent e-mail messages.

    Mark Wilkie, a software engineer who maintains Web sites for Gawker Media, said the ability to view the data must have been built into the sign-up software, but it was not clear why someone would do this. "Security-wise, it's a horrible thing to do," he said.

    Aaron Meier, a spokesman for Monty Python's "Spamalot," said yesterday that the show would have no comment.

    When told by e-mail message about the breach, several people who had signed up for the "Spamalot" list said they were unsurprised, given the state of Internet security and the aggressiveness of spammers. Several noted that there was something appropriately Pythonesque about the incident. After all, Internet historians say that the use of the word spam to refer to junk e-mail messages has its roots in a 1970 Monty Python sketch, in which all conversation in a cafe is drowned out by a group of Vikings chanting the word over and over. The sketch and its song about Spam, the meat product, were adapted for the new musical.

    "Are you sure they didn't do it on purpose?" joked one list subscriber, Matthew J. H. Baya of Ellsworth, Me. "Talk about guerrilla marketing."

  7. sacked by SuperBanana · · Score: 4, Funny
    All I have to say is that I hope the creators of the Spamalot website have been sacked

    The cREators would like to announce that the previous creato

    NO CARRIER

    The c re a tors of

    NO CARRIER

    --
    Please help metamoderate.
    1. Re:sacked by flumps · · Score: 2, Funny

      Mynd you, møøse bites Kan be pretty nasti...

      --
      "So there he is, risen from the dead. Like that fella, E. T." - Father Ted Crilly
  8. That programmer... by Faust7 · · Score: 4, Funny

    Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites.

    But why? It's not like we'd want to bludgeon, or bitchslap, or ambush, or lynch the programmer.

    --
    The coolest voice ever.
    1. Re:That programmer... by flumps · · Score: 3, Funny

      .. We could say "NI!" to the poor fellow but it'd be a terrible thing to do to him..

      --
      "So there he is, risen from the dead. Like that fella, E. T." - Father Ted Crilly
    2. Re:That programmer... by CableModemSniper · · Score: 2, Insightful

      Are you saying 'ni' to that programmer? What sad times these must be indeed where passing knaves can say 'ni' to programmers.

      --
      Why not fork?
  9. A moose once bit my sister. by Picass0 · · Score: 4, Funny

    No, relli!

    She was Karving her initials on the moose with the sharpened end of an interspace toothbrush given to her by Svenge- her brother-in-law- an Oslo dentist and star of many Norwegian movies: "The Hot Hands of and Oslo Dentist," "Fillings of Passion," and "The Huge Molars of Horst Nordfink"...

  10. "To be spammed..." by ornil · · Score: 5, Informative

    If you RTFA, you'd notice that in fact the mailing list subscribers were not spammed. Whoever noticed the security hole was not a spammer, reported it, and the hole was plugged. So, yes, maybe it's funny, but they really were not spammed, which spoils the story.

    1. Re:"To be spammed..." by Saeed+al-Sahaf · · Score: 4, Funny

      This is Slashdot. We don't need no stinking FACTS!

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    2. Re:"To be spammed..." by Guido+von+Guido · · Score: 3, Insightful

      The article doesn't say whether or not anyone grabbed the actual mailing list. This is something they could presumably check by looking through the web logs. If the addresses were harvested by somebody's spam bot, I would assume they were added to the spammer's address database. I'm not sure it would have been obvious to anyone that they had been spammed because they had subscribed to the Spamalot mailing list. Anyway, my general assumption is that all spammers out there already have my email address. With effective spam filtering, it's only a minor nuisance.

    3. Re:"To be spammed..." by rsmith-mac · · Score: 3, Interesting

      Actually, David Gallagher(the reporter who wrote this story) contacted me and some other unknown number of people who were on the list and had used tagged addresses(he apparently went through the list himself looking for contacts for this story), asking if we had received any spam on that address. Interestingly enough, he was the first person to contact me on that address at all, I hadn't received any spam or any email from Spamalot previously in the couple of months I've been on the list. It doesn't appear that it was harvested, though it could just be that no one has used the addresses yet.

      If it was harvested though, it opens up an interesting issue since the exposed data included names and physical addresses to go with the email addresses.

  11. Ironic by dg41 · · Score: 3, Funny

    ::instart Fark.com "Ironic" tag here::

  12. Not a professional job... by Saeed+al-Sahaf · · Score: 4, Insightful
    From the story:

    Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y.

    Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more."

    Why would they use some obviously "home grown" half assed mailing list code when there are perfictly good and fairly sold apps out there like Mailman or EZmlm? Sounds like the "designer" hired some friend, prob. som kid who just learned about web scripting...

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    1. Re:Not a professional job... by chromaphobic · · Score: 2, Insightful

      Calling him a web designer is a stretch. From looking through the other sites he did, they're all filled with shitty Dreamweaver and ImageReady code.

  13. What do you expect... by TPIRman · · Score: 3, Funny

    ... from a site designer who can't even spell "bandwidth"? (Or at least spell it twice...)

  14. Web designer's resume... by Saeed+al-Sahaf · · Score: 3, Informative

    http://www.carapacearts.com/mark_stevenson.htm

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    1. Re:Web designer's resume... by kawika · · Score: 2, Funny

      "Perhaps the bronze sculptor in Washington state that you linked to isn't the same person as the New York web designer."

      Probably you are right. Perhaps we could send the Washington state sculptor to New York to arrange an "unfortunate smelting accident" for the web designer. I certainly would if he tarnished my name.

  15. The creators by sp3tt · · Score: 5, Funny

    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    We aplogize for the spam, the creators of this website have been sacked
    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    SPAM SPAM
    We aplogize for the continued spam, the persons responsible for the sacking of the persons just sacked would like to announce that they have been sacked.

  16. Re:Anyone got the copy of the article? by shadowsurfr1 · · Score: 3, Informative

    And for other websites, use BugMeNot, the firefox extension. Quite helpful.

  17. Mail lists... by LiNKz · · Score: 2, Interesting

    Recently I noticed on a certain college website, every employee's email address was listed on a type of 'contact' page.

    Every employee.

    It actually was a three column table, on the left side it had the employee's name, next column was for e-mail, and the last for their phone number.

    I was sitting with the Administrator that handles the email servers, when I heard recently there has been an ever more increasing spam flow to all the college email addresses.

    --
    Proceed with Format (Y/N)? Y
  18. Developers to be blamed? by jamienk · · Score: 3, Insightful

    From my experience, though, often a web developer's clients push towards unsecure functionality because of cost/time considerations. I've been hired to add functionality to sites' existing shopping carts, for example, and when I've found and reported massive holes (a list of customers, orders, credit cards all accessable from a web page, for one), I've been met with heavy skepicism about the need to fix these holes now.

    "How would anyone find that page?"

    "Maybe we'll get to that once we add the international shipping feature."

    etc. It gets tiring. After a while, you feel unappreciated. I'm not saying that something like this happened here, but at this point, I don't know that it DIDN'T happen...

    My 2 cent American.

    1. Re:Developers to be blamed? by Anonymous Coward · · Score: 2, Interesting

      Grow some balls and tell them flat out that you refuse to add features to a product with serious security problems until they are fixed.

    2. Re:Developers to be blamed? by jamienk · · Score: 2, Insightful

      I often find myself just doing what the client wants if they insist. Sometimes it's harder to pull out of a project than to just try to mitigate the damage.

  19. Re:The new age in spamming ? by Karma+Farmer · · Score: 3, Funny

    What if the web designer/programmer was actually someone sleeping in bed with the spammers ?

    I would sleep in bed with spammers! They're all hot nubile chicks with pills to make me skinny and my penis huuuuuge!

  20. Arghhh by ewe2 · · Score: 3, Funny

    ...bloody vikings!

    --
    insecurity asks the wrong question irritation gives the wrong answer
  21. I think I found the page that caused the issues by neckdeepinspecialsau · · Score: 2, Insightful
    This looks like it spits out a search at the bottom of the thank you page.

    http://www.montypythonsspamalot.com/cgi-bin/spamal ot.cgi?email=

    This html is full of artifacts. I would be surprised if they actually hired a web developer and didn't just screw up and use some free script they didn't fully understand.

  22. Re:[examples] to be blamed? by jamienk · · Score: 2, Insightful

    You point to stuff. Your client sees that you might be right. (At this point, several exchanges over a few days or weeks.) They disappear for a while, to discus with their boss. They come back to you, reassuringly telling you that they don't think it's a problem. You object. They act annoyed. The entire project was supposed to be 1 days work for $300... You see what I mean?