Spammers Use Holes In Democrats.org Security

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

OK, come on

[damn_registrars]

Someone please tell us how this problem with the democrats.org website must clearly be related to the impending socialist takeover of schools and soda machines. Certainly this is how Marxism takes root, by allowing 419 emails to propagate, right?

Re:OK, come on

[Nidi62]

If Democrats cant even design their website to keep people out or prevent people from doing whatever they want in it, how are they going to keep pedophiles out of our schools? Think of the children!

Re:OK, come on

[Dersaidin]

But don't think of the children if *your* the pedophile.

Re:OK, come on

Modded you Troll because you can't spell "you're".
 
Furthermore, that joke is old.

Re:OK, come on

[funkatron]

At the very least this will give fox news some new material to work with. They need it after their recent run of substandard sketches about the NHS.

Re:OK, come on

[UltraAyla]

My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/

There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

Re:OK, come on

[Pax681]

hmmm whenever i think of you after reading your posts i quite often think of pictures like THIS

a goaste link would have worked too. but that meant having to actually look at that bloody image again

Re:OK, come on

[commodore64_love]

>>>And now you want to refuse to pay into it?

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like being forced to pay Microsoft for Windows 7, but they never bother to send it to me.

And also you're confusing Republicans with Libertarians. The "L" party supports repealing everything, but the R party supports safety-net style programs such as Welfare, Food Stamps, Unemployment, SCHIP, et cetera.

And finally - you missed the point.

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer? If that govt program runs like the unemployment program, then I'll fill-out a lengthy time-consuming form just to be told I'm "ineligible" for help. Government-run monopolies are crap. Look at the bankrupt post office and amtrak for obvious examples.

Re:OK, come on

It's an essential argument.

On the one hand, you have people who are in the middle and upper class. These people pay a significant portion of their income in taxes. They feel as if they are paying a lot more into a system than they are getting out of it. On the other hand, you have people who are in the lower and poverty class. They feel that they are doing the "shit jobs" which make the society work, and that they do it for crap amounts of money. They feel that the government should help them make ends meet.

On one side of the argument you have the cheaters.They are rich people who try (and succeed at) not paying "their fair share". They also are poor people who freeload off and abuse the system.

Then there's everyone else. Everyone else includes people with money (but not that much) trying to avoid having their property taken away from them (through taxation). They work hard, they try to make ends meet, and they just want to save some cash and live the american dream. You have people who are poor or without money that just want a helping hand so they can be productive members of society. They don't want to be dependant on on other people. With a little assistance, they can join working society and keep the gears turning.

Politicians pretend like they are all about "the everyone elses". You sound like you're in the everyone else group. They turn around and really fight for the cheaters. They either remove taxes on the rich and cut funding to programs for the poor, or they increase taxes and ignore system abusers. Neither side really works to make the system work better. They just work to stay in office. So you still have people who are either not getting enough use out of their publicly dedicated funds OR you have people who can't get the help that they need to be productive.

So, basically, what I am trying to say is this: Either way, the system sucks.

Re:OK, come on

[UltraAyla]

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like being forced to pay Microsoft for Windows 7, but they never bother to send it to me.

You could have received benefits (and it sounds like you did) during the period of time after termination of work that the government is financially able to help you. That period is now over. It's not a flaw in the program - if more money is paid into the program, they can fund more people for longer. Many people contend it's short in order to force people back into the workforce - that doesn't work as well in a recession, which is why the benefits were extended in February. It's simple.

And also you're confusing Republicans with Libertarians. The "L" party supports repealing everything, but the R party supports safety-net style programs such as Welfare, Food Stamps, Unemployment, SCHIP, et cetera.

I never said Republicans. I said conservatives. You're talking about fiscal conservativism, which both Republicans and Libertarians generally subscribe to. I know plenty of Republicans, and even a few Libertarians, that support these programs.

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer? If that govt program runs like the unemployment program, then I'll fill-out a lengthy time-consuming form just to be told I'm "ineligible" for help. Government-run monopolies are crap. Look at the bankrupt post office and amtrak for obvious examples.

Damn it, we're not talking about healthcare right now. I'm not trying to prove to you that big government and a public option are better. All I'm saying is don't use a program then whine about how it expired and refuse to pay into it. It's hypocritical asshattery. If you want to say smaller government is better, then fine. I disagree but won't argue with you on that since it's a deeply rooted ideology for us both that won't change in a slashdot discussion and because it's not the discussion we were having.

Re:OK, come on

[commodore64_love]

[correction] I only got [4] months (April, May, June, July) - why am I being cutoff??? It's supposed to last longer than that. A friend of mine received unemployment for 13 months and we both live within the same state.

Grrr.

Sorry. Obviously I'm very very angry right now. I was counting on that check carrying me until January and now suddenly it's stopped for no apparent reason. I paid $19,500 in taxes last year. I've done my part and now for the government to turn its back on me is completely unacceptable.

Re:OK, come on

This is the first time I've posted here (been lurking for a while), but you finally drove me to comment.

Modded you Troll because you can't spell "you're".

I love you.

Re:OK, come on

[greentshirt]

Because youre lazy ass didn't apply in time. Do you want the government to change your diaper too, reject? Dumb right wing retard... I hope you don't make children, but the dumb ones always do.

Re:OK, come on

[greentshirt]

And before you ignore everything else and jump on the typo, your* Dolt.

Re:OK, come on

Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.

Re:OK, come on

Okay, now how the fuck is this guy getting modded troll all over the place? Get your heads out of your asses, people.

"TROLL" IS NOT "I DISAGREE"

Re:OK, come on

[GodfatherofSoul]

You want to understand the problem with conservatives? Craig T. Nelson's words sum it up perfectly:

"I've been on food stamps and welfare. Anybodyï help me out? No."

Re:OK, come on

[michaelhood]

I paid $19,500 in taxes last year. I've done my part and now for the government to turn its back on me is completely unacceptable.

Um, income taxes aren't to fund unemployment.

Re:OK, come on

[Cstryon]

In his defense, I have been actively searching for a Job for 6 months, and only JUST scored one. My brother who is just as qualified as I am, can't get a job at McDonalds, because of this economic crisis you may have heard of.

I may not know the numbers, and I may not know why times are bad, but some of us experience it first hand.
    If I put a huge chunk of money into a pot, money that I can't choose to put in there or not, I better damn well be able to pull that money out for months at a time when no one will hire me.

Re:OK, come on

So, as a conservative who advocates for the end of a government service, I'll get some of my tax $ back because I don't use the service, right?

It won't be like I'm being forced to pay for something and then told not to use it just because I'd rather not pay in the first place.

Re:OK, come on

[foniksonik]

how long did you work at your last job? you may not have qualified for longer benefits. I went on unemployment about 5 years ago after a 4 year employment. I got 9 months of benefits. that was the maximum at the time. it was $1650 per month also the max at the time.

Re:OK, come on

So, you are saying is that I should pay for it and then not use it? That sounds even worse than use it and complain about it to me. I was always told to never look a gift horse in the mouth too, so in the same situation I would probably use it even if I hadn't paid into it. Whether I use it or not has no bearing to whether or not its a good idea. It wouldn't even make me a hypocrite. If I told people not to use it, then I used it I would be a hypocrite. If I tell everyone its a bad idea then I use it, worst case is that it could be used as an point against my argument that its a bad idea.

Re:OK, come on

It is on Slashdot.

See, if you have no counter argument, but you have mod points, there ya go! Of course some mouth breathing, mother's basement dwelling Liberals just mod anything down that does not include a tribute to The One, The Uniter, The Barry!

Re:OK, come on

So, you are saying is that I should pay for it and then not use it?

Why not? Microsofties post this many times per day on this site. You must be new here.

Re:OK, come on

I paid $19,500 in taxes last year.

It wasn't your money in the first place! Government has first right on all your earnings (since the 1940s) and you should be down on your knees thanking Obama/Pelosi/Reid that you were given as much as you were.

Re:OK, come on

[religious+freak]

OMG... +1 for you. Sucking on the teet of gov't, missing a deadline, complaining how the benefits weren't given to her AND saying she's a libertarian... oh, and she doesn't want to pay into the system when she finally DOES find a job. HEAD.. GOING.. TO.. EXPLODE..

Hopefully she is just young and not actually retarded... youth I can excuse.

Re:OK, come on

[religious+freak]

UltraAyla is completely right sweetheart. Your thoughts are very inconsistent. Please review them when the economy sucks less and you find a job. I'm not trolling, the economy really sucks - seriously, and I empathize.

But claiming to be Libertarian AND complaining about gov't not helping are mutually exclusive items.

Re:OK, come on

So what? If you weren't such a lazy entitled liberal, I bet you would have a job. Here's a clue, hit the streets and look for work, and stop expecting taxpayers to pick up the slack for you, you worthless bum. Take your anger and shove it up your ass. $19K in taxes? Whatever.

Re:OK, come on

[SL+Baur]

Take your anger and shove it up your ass. $19K in taxes?

Um, that's a lot more in income taxes than many if not most USians pay. How about if they just refund it to him?

Re:OK, come on

[uninformedLuddite]

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer?

Get a man to pay for it?

Re:OK, come on

What the hell are you doing on the Internet?! I'm sure there's better ways of spending MY MONEY!

Re:OK, come on

Dude...he's a Democratic. Have some heart and take it easy with him.

Re:OK, come on

[psm321]

If you actually want help and aren't just trolling, call your local state (not federal) representative. They're very helpful in sorting out stupid issues like this.

Re:OK, come on

[commodore64_love]

>>>Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass

Go sit on your finger and swivel on it til you squeal like a pig*, you anonymous coward. I've actually had 3 interviews over those *7* months, and in every case it's the same - they hire someone else. In my most recent interview they refused to hire me because they were looking for a C# programmer and I "only" know C++.

Yes I'm serious. But that's the nature of the market. When you have ~500 unemployed engineers all applying for 1 opening, the bosses can afford to be picky. Just like customers in a retail store are picky not to buy a dented or scratched item. They likely hired the next guy after me who DOES have C# experience.

Of course this is only temporary - come January when new budgets arrive and the money is flowing more freely, I expect I'll find a job. That's just how the business cycle flows, and why I was counting on my unemployment to carry me until then.

*
* Red Dwarf reference.

Re:OK, come on

[commodore64_love]

You're being facetious, but the government-run system really is a mess. I tried to file my biweekly claim for unemployment and it told me it's "inactive". Then I followed the instructions to reactivate it, and I was told I was ineligible because I haven't worked these last six months. Well of course I haven't worked. That's why I was on unemployment!

Stupid, stupid government.

I only got 4 months (April, May, June, July). Another engineering friend got 13 months - why am I being cutoff? :-(

Re:OK, come on

[commodore64_love]

>>>$19K is a lot more income taxes than many if not most USians pay. How about if they just refund it to him?

A year on unemployment would be equivalent to refunding the Taxes I paid on April 15. Of course what I received so far (about $7000) is far short of the amount I paid. I would have been better off to tell the IRS, "Sorry I lost my job," and keep the $19,000 rather than mail-in that check.

What I don't understand is why they make us pay income tax on unemployment checks. Or social security checks. It would make more sense to make that money tax exempt, rather than hand the money to the citizen, and then demand 20% of it back???

Re:OK, come on

[commodore64_love]

>>>And now you want to refuse to pay into it?

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like paying Microsoft for Windows 7, but they never bother to send it to me. (Or worse - they give me Vista instead.) The purpose of these "safety net" programs is to be there when people need them, but it's not there, then that's fraud. Like what Bernie Madoff did.

Re:OK, come on

[Keen+Anthony]

I think the larger point that's being made is that the most vocal opponents of tax financed social welfare programs often use very heated and dangerous language to frame things like welfare and government health insurance as communist and anti-American, while saying that proponents are evil liberal communists "democrats", and that recipients are stupid and lazy.

Many feel that these programs would run more efficiently but for the net effect of tax dodgers and the political pressure, opponents put on anyone trying to fund these programs well.

It's not the idea that using it while complaining about it is bad. It's that this particular poster has a really extremist position on the subject and related subjects (national healthcare), and so his name calling people for disagreeing with him, and then attacking the very idea of social welfare while whining that his aid can't come fast enough; really makes him look like a troll.

He did make one good point, however unintentional. If you're going to have a program such as this, it should be more efficient so as to get benefits out to applicants ASAP. Obviously though that's a wholly different argument about bureaucracies.

Re:OK, come on

[SL+Baur]

What I don't understand is why they make us pay income tax on unemployment checks. Or social security checks. It would make more sense to make that money tax exempt, rather than hand the money to the citizen, and then demand 20% of it back???

Making it taxable income qualifies you for income tax credits. If you collect it between high paying jobs, it also allows them to Tax The Filthy Rich, which would be you, apparently.

Re:OK, come on

[hmar]

Don't know about your state, but in mine you are required to put in 3 job applications per week while collecting unemployment. If you only put in three in 7 months, that may be why you aren't getting your check any more.

ha

Spamocrats

Not really a hole, more like open barn door

[HangingChad]

That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

And, last I checked, the page was still up.

Re:Not really a hole, more like open barn door

still is- if they didn't notice the spam traffic, they're not going to notice slashdot.

Re:Not really a hole, more like open barn door

[Dan541]

The page is up but not responding to well.

I'm sure some /.ers will be adding to the abuse.

Re:Not really a hole, more like open barn door

[UltraAyla]

Solution: Use the website to fill up the sysadmin's box with requests that s/he add a captcha - that'll do it for sure! Right? Right?

Re:Not really a hole, more like open barn door

None of their devs are geeky enough to read /.

Re:Not really a hole, more like open barn door

[Barny]

Nah, its good programming. The design on the other hand, is another thing.

Re:Not really a hole, more like open barn door

[isa-kuruption]

An open barn door... is a hole in the wall. Therefore, it's a hole.

Stop trying to sugar coat the inability of Democrats to secure anything... our nation or their own mail server.

Re:Not really a hole, more like open barn door

[ukyoCE]

Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

Re:Not really a hole, more like open barn door

[FlyingBishop]

My university decided that it would open up its wireless, since the administration didn't want to increase IT funding, but it wanted to support iPhones. Anybody with a halfway decent understanding if IT knows it's a bad idea for the college to provide free unauthenticated WiFi anywhere on campus, but apparently no one put it in terms that convinced the board.

Right

That's asinine. That's democratic party website. Touche?

Give it until Tuesday

The news hit on Friday.

Give them 1 full business day before calling them incompetent.

Epic...

[shentino]

...fail!

So...

Spammers are making liberal use of a democrat website?

Why is this tagged "politics"?

[mantis2009]

It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.

Re:Why is this tagged "politics"?

Mod the parent +1 Tonsil!

Re:Why is this tagged "politics"?

[Clover_Kicker]

You're not going to many page hits with an attitude like that.

Won't someone think of the page hits!

Re:Why is this tagged "politics"?

[Keen+Anthony]

Well, actually yeah it does. Democrats, and Republicans alike, have encouraged spammers by not pushing for serious spam legislation. I agree though, it's not a political story, but I love that a DNC website is being abused by spammers. I hope for a followup news story that says RNC owned phones are abused by telemarketers.

Don't worry about schools

[davidwr]

If you ignore teen-on-teen sex, the number of times you see sex on K-12 school campuses is very small. The rare cases of teacher/student sex you see in the papers almost always happens off-campus.

A much better question is "how do I make sure my fiancee or his/her brother or father or uncle isn't a pedophile, and if he is, what am I going to do about it?"

Another very relevant question is "how do I make sure my kid's best friend's dad isn't a pedophile, and if he is, what am I going to do about it" or "how do I make sure my kid's teenage or adult babysitter isn't a pedophile, and if he or she is, what am I going to do about it?"

Remember: Police records only show those that have been caught - the smart ones don't get caught* - and they do NOT show all of those who received deferred adjudication or who were adjudicated as minors.

*The smart ones don't get caught unless they get unlucky. The very smart ones obey the law in the first place and aren't a concern.

--
Back to schools:

Schools do background checks on employees, volunteers, and vendors, and some even background-check regular visitors. Many schools escort visitors who are there for a pre-arranged visit. You will see random adults in the building on election day but they are usually confined to a small area of the campus and well monitored.

There is some risk during "Public School Day" or open houses or other times where the public is specifically invited into the building. However, most parolees and probationers who have a sex crime record know they aren't allowed in, and in some states registered sex offenders aren't allowed in schools at all without a specific reason, such as voting or visiting their kid's teacher. However, even this is negligible risk since kids are generally not at risk from abuse from adults they don't know well, even if that adult happens to be in a school building.

Some good news for worried parents:

Only about 0.1% of the population is on the sex-offender registry. At any given time, the number of people out there who are at risk to have sex with children or underaged teens is quite small. The odds of you bumping into one of them and that person taking an interest in your child is even smaller. The odds of the person getting very far with your child is smaller still, and is practically zero if you've taught your child how to say "no," run away, fight back, call for help, etc. AND it's well-known that your kid knows how to say "no" defend himself. Criminals generally won't take a chance if they know they will get caught.

Re:Don't worry about schools

[commodore64_love]

With that kind of talk you'll never get elected to office. It's much more effective to use scare tactics like, "There are sex offenders everywhere and we must crack down. I'll make sure to enact new laws that give sex offenders lifelong sentences, such that they will be tracked by the government until the day they die!"

That's how you win votes.

Next time, strive for +5 funny

[davidwr]

If you'd posted a genuine 419 mail, particularly one re-written to spoof the Democratic Party, it would be marked +5 funny not -1 troll.

This has nothing to do with politics!

[Zerbey]

Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

Re:This has nothing to do with politics!

[cyberstealth1024]

I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

One can only hope!

Re:This has nothing to do with politics!

[noc007]

The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.

Re:This has nothing to do with politics!

[Bourdain]

it is in major DNSBL (i.e. to test that, my fastmail.fm account blocked it and yahoo, of course, let it straight on through)

Geniuses...

These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

Re:Geniuses...

[Keen+Anthony]

You realize that democrat.org isn't a government organization, right? You realize that it's jump point to the DNC, which is a political party, and not a government organization, right? And you realize that the very people who would take control of the internet away from private networks would not be representatives of a political party, but the military, right? Even for a troll, you're stupid.

Blame Ruby on Rails

It's a good thing the DNC is right now advertising an opening for a Ruby on Rails developer position: http://jobs.37signals.com/jobs/5515, hopefully they get replace someone whoever is was inept enough to do this.

And now ...

Fun shall be had ...

Ok Slashdot, here is your chance to fight spam

[fooslacker]

Someone write an email that sends out the "new democratic party platform". Feel free to copy it from the Republicans site. Then send it to all the known big donors. I figure 10,000 emails and five minutes later and this hole will be closed. Politicians (of all persuasions) only respond to two things and reason is not one of them. Votes and money. Threaten those and they'll be all over this. =)

Convenient link...

You forgot this.

Don't you worry

Oh don't you worry anything from democrats.org is already on my spam list

It's not a hole

[andy1307]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

Re:It's not a hole

[La+Gris]

More like: "It's Not A Bug - It's A Feature."

By the way, It does not even wait between retries and it may as well fail completely in the void after the second one.

Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mailservices.democrats.org[208.69.4.29]
Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mail-fallback.democrats.org[208.69.4.31]

Re:It's not a hole

Probably the same kind of ease they intended when during election season they removed all credit card verification requirements on the donations page. "Wtf is their a 2000$ donation to the Obama campaign on my credit card? I voted for Mccain."

Re:It's not a hole

[Culture20]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

The new Democratic platform: Deposed Nigerian monarch money and bigger penises for everyone!
I may vote next election.

I bet lots of people complained.

[khasim]

But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

No need to worry -- they can't deliver mail either

[originalhack]

Amazing layers of stupidity....

Not only will they accept and deliver arbitrary messages, if their first attempt to deliver fails, they switch to a "backup" server and try again immediately and then forget the whole thing. Clearly never heard of greylisting.

I warned them in 2006.

[Spazmania]

None of the developers spoke up and said, "Hey, this is a really bad idea!"

In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

http://bill.herrin.us/composer.html

In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

Re:I warned them in 2006.

[IamTheRealMike]

That's good page. However your definition of "spam" is not correct. Modern spam filters are trained based on what users report. Thus "spam" is by definition any mail which the majority of your recipients don't want, and click "report spam" on. It's got nothing to do with the total number of people who receive it.

Re:I warned them in 2006.

[Spazmania]

The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

Change we can believe in

[jimmy_dean]

This is definitely change we can all believe in. :p

A rookie mistake

[coryking]

Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

My hunch is an intern did this :-)

Re:A rookie mistake

My hunch is an intern did this :-)

Mike Sandy did it and he took Computer Science III motherfucker. So there!

Re:A rookie mistake

[Stan+Vassilev]

[...] insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

There is no "From" parameter. It's called additional_headers which, yes, lets you include one or more raw headers, separated by newlines. There are plenty of higher-level API-s for PHP, but you chose to pass headers to the the raw API without validating. Have you heard this one: "a poor craftsman blames his tools"?

Re:A rookie mistake

[coryking]

That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

a poor craftsman blames his tools

A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a useful tool, but in hands of a novice it can lead to exactly the scenario in this article and *that* makes it a poor tool.

Re:A rookie mistake

[fractalus]

PHP being dangerous for novices doesn't make it a poor tool, it makes it a poor tool for novices. C is a useful tool too, and in many cases can be the best tool for the job, but in the hands of a novice it can be dangerous.

The problem isn't PHP specifically (because just about any web-oriented programming language can have similar problems) it's that there are lots of people interested in making dynamic web sites who don't understand the risks. Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people. This is a far different (and bigger) challenge than simply deploying a desktop application, but we still have scads of "tutorials" that treat security as an afterthought.

Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing. Think of it this way: "Hey Bob, while you're in that level 4 biohazard lab, why don't you check out this nifty tool I made. I'm pretty sure it won't damage your suit. What? No, I don't have any experience making bio lab tools. Or working in one. Does that matter?"

Re:A rookie mistake

[coryking]

Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

For example, if you search "PHP send mail", one of first hits you get has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

Re:A rookie mistake

My hunch is an intern did this :-)

It was written by this guy: http://www.joeshmoe.com/resume.html

Re:A rookie mistake

My hunch is an intern did this :-)

You mean in between fetching coffee and giving BJs? How did she find the time?

Re:A rookie mistake

[sg_oneill]

Speak for yourself. It was always obvious to me these stupid forms where far too dangerous to allow, and that was back in the mid 90s when we where first fucking around with CGI mail.

Don't assume other people share in your historical naivete.

Re:A rookie mistake

[uninformedLuddite]

Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people.

You've been spoofing statcounter again haven't you?

Fix the Problem

[davidshewitt]

The democrats.org technical support website doesn't have a captcha either. Maybe /.ing them with requests to fix this lack of security will raise their awareness. This sort of thing is unacceptable and needs to be fixed.

Their support website is: http://www.democrats.org/page/s/techproblems

Oh

[BCW2]

I thought it was just standard propaganda from them.

Silly me.

How can you tell?

[Punk+CPA]

Nearly everything coming out of Washington looks like a 419 scam anyway.

Re:Your official guide to the Jigaboo presidency

[yesteraeon]

Mod this down. 0 isn't low enough.

Have the ISP pull hte plug if they don't fix it...

[gabebear]

It appears their mail server is run by XO Communication

http://www.democrats.org/page/s/techproblems
http://www.xo.com/forms/Campaign/Care/ContactCustomerCare/ContactCustomerCare.aspx

Re:Liberals.

Maybe you see these problems on the democratic domain, because the conservatives in this country are still trying to figure out what the internet is.

http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html

http://www.youtube.com/watch?v=f99PcP0aFNE

Re: You may not even pay for Unemployment

[InvisiBill]

I think when I finally get back to work (probably January when managers get new budgets and fresh money), I'm going to refuse to pay the Unemployment. Why should I pay for a program that doesn't help me out when I need it?

In Michigan at least, employees don't pay for unemployment insurance, the employers do. Yes, in the end, everything comes out of our pockets in some way (i.e. they could pay you higher wages if they didn't have to pay for your unemployment insurance). However, you don't pay x% of your paycheck every week into Unemployment.

Oh the irony

[PHAEDRU5]

John McCain never left his email server open for this sort of exploit!

Re:Oh the irony

John McCain never left his email server open for this sort of exploit!

That's because carrier pigeons fight back.

A good way to get them to fix the problem:

All you need to do to get the problem fixed is start using their site to send out birther or anti-healthcare messages, and maybe a few campaign emails for the opponents of Harry Reid and some of the other prominent Dems. Make sure to include the site administrators on the email message, and maybe include a line at the bottom saying, "This message brought to you courtesy of democrats.org"

I'm pretty sure they'll get the holes closed up pretty fast!

They have a captcha now

[Mr.+Roadkill]

Mind you, it's being used by 419ers... they don't honestly believe that they'll keep 419ers out with a captcha, do they? These are the same people who'll cheerfully sit there sending mail out through hotmail accounts, so a captcha's not going to keep them out.

Limit 10 at a time

Their limit of 10 at a time makes this a not so effective strategy, unless of course you send the mails to a few tens of prominent Democratic politicans or donors.

I guess politicians should forget to mention taxes

[davidwr]

With every get-tough-on-crime speech are these unwritten words:

"And because prisons and tracking and feeding of ex-offenders who can't find jobs because employers are needlessly scared costs money, please support me in my efforts to raise your taxes."

Empathy for Dolts

[Web+Goddess]

I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

I feel empathy for those that you smarter people scoff at. Be kind! It wasn't for us dolts you woudn't *be* smart, you'd just be average!

Wendy Northcutt, the Darwin Awards

Someone's a Liar

If you're earning over 50,000 (like me) you can afford to buy your own health insurance.

http://slashdot.org/comments.pl?sid=1352459&cid=29254853&art_pos=2

spam

[hesaigo999ca]

spam,spam,spam,spam,spam,spam,spam,spam.....incredible spam, lalala la la la la lalalala....incredible spam...
(monty python short) gotta love spam...!

Finally fixed it

[OhHellWithIt]

They have at least fixed the lack of a captcha on the "Email a friend" page.

The root of what you are saying

[jDeepbeep]

So.... do you feel it is the responsibility of a programming language to protect you from your own blunders?

Yet another reason for no government run anything!

Yet another reason for no government run anything!

The idiot, moron, democrat, marxists are not capable of information security. Therefore one can conclude that having your personal and private information in the hands of any democrat, marxist, government healthcare plan then your information and personal identification WILL BE AT RISK!

Impeach all democrats, they are marxists and believe the constitution should be circumvented so you have no lkiberty!

Remove the czars and presidential advisors, they are marxists and democrats that are ruining our country!

DEPORT illigal imigrints and NO AMANESTY! One of these illegals nearly ran into my car this weekend because they were driving on the wrong side of the road!

As of This Morning It Appears To Be Fixed

[noc007]

I've checked the offending page http://www.democrats.org/page/invite and they have added a CAPTCHA. Hopefully this fixes the issue.

And we want to trust them ...

[neonprimetime]

... to take control of the internet? They can't even handle a simple little website!

Bayesian FTW

Bayesian filters FTW. If I favored E-Mail from democrats.org, this would gain like 1 point on my spam filter; if the content is spam, it'll filter it. Simply blacklisting and whitelisting by IP is commonly used but just doesn't cut it.