Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Use Holes In Democrats.org Security

Posted by Soulskill on from the hello-sir-madam dept.

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

14 of 129 comments (clear)

  1. Not really a hole, more like open barn door by HangingChad · · Score: 5, Insightful

    That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

    And, last I checked, the page was still up.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:Not really a hole, more like open barn door by ukyoCE · · Score: 2, Insightful

      Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

      The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

  2. Why is this tagged "politics"? by mantis2009 · · Score: 2, Insightful

    It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.

  3. This has nothing to do with politics! by Zerbey · · Score: 4, Insightful

    Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

  4. Re:OK, come on by UltraAyla · · Score: 4, Insightful

    My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/

    There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

  5. Geniuses... by Anonymous Coward · · Score: 5, Insightful

    These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

  6. I bet lots of people complained. by khasim · · Score: 3, Insightful

    But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

    It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

  7. A rookie mistake by coryking · · Score: 4, Insightful

    Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

    The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

    No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

    My hunch is an intern did this :-)

    1. Re:A rookie mistake by coryking · · Score: 2, Insightful

      That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

      a poor craftsman blames his tools

      A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a useful tool, but in hands of a novice it can lead to exactly the scenario in this article and *that* makes it a poor tool.

  8. Oh by BCW2 · · Score: 2, Insightful

    I thought it was just standard propaganda from them.

    Silly me.

    --
    Professional Politicians are not the solution, they ARE the problem.
  9. Re:OK, come on by Anonymous Coward · · Score: 3, Insightful

    Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.

  10. Re:Liberals. by Anonymous Coward · · Score: 2, Insightful

    Maybe you see these problems on the democratic domain, because the conservatives in this country are still trying to figure out what the internet is.

    http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html

    http://www.youtube.com/watch?v=f99PcP0aFNE

  11. Re:I warned them in 2006. by Spazmania · · Score: 2, Insightful

    The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  12. Empathy for Dolts by Web+Goddess · · Score: 2, Insightful

    I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

    See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

    I feel empathy for those that you smarter people scoff at. Be kind! It wasn't for us dolts you woudn't *be* smart, you'd just be average!

    Wendy Northcutt, the Darwin Awards