Spammers Use Holes In Democrats.org Security

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

OK, come on

[damn_registrars]

Someone please tell us how this problem with the democrats.org website must clearly be related to the impending socialist takeover of schools and soda machines. Certainly this is how Marxism takes root, by allowing 419 emails to propagate, right?

Re:OK, come on

[Nidi62]

If Democrats cant even design their website to keep people out or prevent people from doing whatever they want in it, how are they going to keep pedophiles out of our schools? Think of the children!

Re:OK, come on

Modded you Troll because you can't spell "you're".
 
Furthermore, that joke is old.

Re:OK, come on

[UltraAyla]

My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/

There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

Re:OK, come on

[UltraAyla]

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like being forced to pay Microsoft for Windows 7, but they never bother to send it to me.

You could have received benefits (and it sounds like you did) during the period of time after termination of work that the government is financially able to help you. That period is now over. It's not a flaw in the program - if more money is paid into the program, they can fund more people for longer. Many people contend it's short in order to force people back into the workforce - that doesn't work as well in a recession, which is why the benefits were extended in February. It's simple.

And also you're confusing Republicans with Libertarians. The "L" party supports repealing everything, but the R party supports safety-net style programs such as Welfare, Food Stamps, Unemployment, SCHIP, et cetera.

I never said Republicans. I said conservatives. You're talking about fiscal conservativism, which both Republicans and Libertarians generally subscribe to. I know plenty of Republicans, and even a few Libertarians, that support these programs.

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer? If that govt program runs like the unemployment program, then I'll fill-out a lengthy time-consuming form just to be told I'm "ineligible" for help. Government-run monopolies are crap. Look at the bankrupt post office and amtrak for obvious examples.

Damn it, we're not talking about healthcare right now. I'm not trying to prove to you that big government and a public option are better. All I'm saying is don't use a program then whine about how it expired and refuse to pay into it. It's hypocritical asshattery. If you want to say smaller government is better, then fine. I disagree but won't argue with you on that since it's a deeply rooted ideology for us both that won't change in a slashdot discussion and because it's not the discussion we were having.

Re:OK, come on

[greentshirt]

And before you ignore everything else and jump on the typo, your* Dolt.

Re:OK, come on

Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.

Re:OK, come on

[GodfatherofSoul]

You want to understand the problem with conservatives? Craig T. Nelson's words sum it up perfectly:

"I've been on food stamps and welfare. Anybodyï help me out? No."

Re:OK, come on

[Cstryon]

In his defense, I have been actively searching for a Job for 6 months, and only JUST scored one. My brother who is just as qualified as I am, can't get a job at McDonalds, because of this economic crisis you may have heard of.

I may not know the numbers, and I may not know why times are bad, but some of us experience it first hand.
    If I put a huge chunk of money into a pot, money that I can't choose to put in there or not, I better damn well be able to pull that money out for months at a time when no one will hire me.

Re:OK, come on

[foniksonik]

how long did you work at your last job? you may not have qualified for longer benefits. I went on unemployment about 5 years ago after a 4 year employment. I got 9 months of benefits. that was the maximum at the time. it was $1650 per month also the max at the time.

Re:OK, come on

[religious+freak]

OMG... +1 for you. Sucking on the teet of gov't, missing a deadline, complaining how the benefits weren't given to her AND saying she's a libertarian... oh, and she doesn't want to pay into the system when she finally DOES find a job. HEAD.. GOING.. TO.. EXPLODE..

Hopefully she is just young and not actually retarded... youth I can excuse.

Re:OK, come on

[religious+freak]

UltraAyla is completely right sweetheart. Your thoughts are very inconsistent. Please review them when the economy sucks less and you find a job. I'm not trolling, the economy really sucks - seriously, and I empathize.

But claiming to be Libertarian AND complaining about gov't not helping are mutually exclusive items.

Re:OK, come on

[SL+Baur]

Take your anger and shove it up your ass. $19K in taxes?

Um, that's a lot more in income taxes than many if not most USians pay. How about if they just refund it to him?

Re:OK, come on

[uninformedLuddite]

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer?

Get a man to pay for it?

Re:OK, come on

[psm321]

If you actually want help and aren't just trolling, call your local state (not federal) representative. They're very helpful in sorting out stupid issues like this.

Re:OK, come on

[commodore64_love]

>>>Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass

Go sit on your finger and swivel on it til you squeal like a pig*, you anonymous coward. I've actually had 3 interviews over those *7* months, and in every case it's the same - they hire someone else. In my most recent interview they refused to hire me because they were looking for a C# programmer and I "only" know C++.

Yes I'm serious. But that's the nature of the market. When you have ~500 unemployed engineers all applying for 1 opening, the bosses can afford to be picky. Just like customers in a retail store are picky not to buy a dented or scratched item. They likely hired the next guy after me who DOES have C# experience.

Of course this is only temporary - come January when new budgets arrive and the money is flowing more freely, I expect I'll find a job. That's just how the business cycle flows, and why I was counting on my unemployment to carry me until then.

*
* Red Dwarf reference.

Re:OK, come on

[commodore64_love]

You're being facetious, but the government-run system really is a mess. I tried to file my biweekly claim for unemployment and it told me it's "inactive". Then I followed the instructions to reactivate it, and I was told I was ineligible because I haven't worked these last six months. Well of course I haven't worked. That's why I was on unemployment!

Stupid, stupid government.

I only got 4 months (April, May, June, July). Another engineering friend got 13 months - why am I being cutoff? :-(

Re:OK, come on

[commodore64_love]

>>>$19K is a lot more income taxes than many if not most USians pay. How about if they just refund it to him?

A year on unemployment would be equivalent to refunding the Taxes I paid on April 15. Of course what I received so far (about $7000) is far short of the amount I paid. I would have been better off to tell the IRS, "Sorry I lost my job," and keep the $19,000 rather than mail-in that check.

What I don't understand is why they make us pay income tax on unemployment checks. Or social security checks. It would make more sense to make that money tax exempt, rather than hand the money to the citizen, and then demand 20% of it back???

Re:OK, come on

[commodore64_love]

>>>And now you want to refuse to pay into it?

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like paying Microsoft for Windows 7, but they never bother to send it to me. (Or worse - they give me Vista instead.) The purpose of these "safety net" programs is to be there when people need them, but it's not there, then that's fraud. Like what Bernie Madoff did.

Re:OK, come on

[Keen+Anthony]

I think the larger point that's being made is that the most vocal opponents of tax financed social welfare programs often use very heated and dangerous language to frame things like welfare and government health insurance as communist and anti-American, while saying that proponents are evil liberal communists "democrats", and that recipients are stupid and lazy.

Many feel that these programs would run more efficiently but for the net effect of tax dodgers and the political pressure, opponents put on anyone trying to fund these programs well.

It's not the idea that using it while complaining about it is bad. It's that this particular poster has a really extremist position on the subject and related subjects (national healthcare), and so his name calling people for disagreeing with him, and then attacking the very idea of social welfare while whining that his aid can't come fast enough; really makes him look like a troll.

He did make one good point, however unintentional. If you're going to have a program such as this, it should be more efficient so as to get benefits out to applicants ASAP. Obviously though that's a wholly different argument about bureaucracies.

Re:OK, come on

[SL+Baur]

What I don't understand is why they make us pay income tax on unemployment checks. Or social security checks. It would make more sense to make that money tax exempt, rather than hand the money to the citizen, and then demand 20% of it back???

Making it taxable income qualifies you for income tax credits. If you collect it between high paying jobs, it also allows them to Tax The Filthy Rich, which would be you, apparently.

Re:OK, come on

[hmar]

Don't know about your state, but in mine you are required to put in 3 job applications per week while collecting unemployment. If you only put in three in 7 months, that may be why you aren't getting your check any more.

ha

Spamocrats

Not really a hole, more like open barn door

[HangingChad]

That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

And, last I checked, the page was still up.

Re:Not really a hole, more like open barn door

[Dan541]

The page is up but not responding to well.

I'm sure some /.ers will be adding to the abuse.

Re:Not really a hole, more like open barn door

[UltraAyla]

Solution: Use the website to fill up the sysadmin's box with requests that s/he add a captcha - that'll do it for sure! Right? Right?

Re:Not really a hole, more like open barn door

[Barny]

Nah, its good programming. The design on the other hand, is another thing.

Re:Not really a hole, more like open barn door

[ukyoCE]

Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

Re:Not really a hole, more like open barn door

[FlyingBishop]

My university decided that it would open up its wireless, since the administration didn't want to increase IT funding, but it wanted to support iPhones. Anybody with a halfway decent understanding if IT knows it's a bad idea for the college to provide free unauthenticated WiFi anywhere on campus, but apparently no one put it in terms that convinced the board.

Epic...

[shentino]

...fail!

So...

Spammers are making liberal use of a democrat website?

Why is this tagged "politics"?

[mantis2009]

It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.

Re:Why is this tagged "politics"?

[Clover_Kicker]

You're not going to many page hits with an attitude like that.

Won't someone think of the page hits!

Re:Why is this tagged "politics"?

[Keen+Anthony]

Well, actually yeah it does. Democrats, and Republicans alike, have encouraged spammers by not pushing for serious spam legislation. I agree though, it's not a political story, but I love that a DNC website is being abused by spammers. I hope for a followup news story that says RNC owned phones are abused by telemarketers.

Next time, strive for +5 funny

[davidwr]

If you'd posted a genuine 419 mail, particularly one re-written to spoof the Democratic Party, it would be marked +5 funny not -1 troll.

This has nothing to do with politics!

[Zerbey]

Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

Re:This has nothing to do with politics!

[cyberstealth1024]

I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

One can only hope!

Re:This has nothing to do with politics!

[noc007]

The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.

Re:This has nothing to do with politics!

[Bourdain]

it is in major DNSBL (i.e. to test that, my fastmail.fm account blocked it and yahoo, of course, let it straight on through)

Geniuses...

These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

Ok Slashdot, here is your chance to fight spam

[fooslacker]

Someone write an email that sends out the "new democratic party platform". Feel free to copy it from the Republicans site. Then send it to all the known big donors. I figure 10,000 emails and five minutes later and this hole will be closed. Politicians (of all persuasions) only respond to two things and reason is not one of them. Votes and money. Threaten those and they'll be all over this. =)

It's not a hole

[andy1307]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

Re:It's not a hole

[La+Gris]

More like: "It's Not A Bug - It's A Feature."

By the way, It does not even wait between retries and it may as well fail completely in the void after the second one.

Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mailservices.democrats.org[208.69.4.29]
Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mail-fallback.democrats.org[208.69.4.31]

Re:It's not a hole

[Culture20]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

The new Democratic platform: Deposed Nigerian monarch money and bigger penises for everyone!
I may vote next election.

I bet lots of people complained.

[khasim]

But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

No need to worry -- they can't deliver mail either

[originalhack]

Amazing layers of stupidity....

Not only will they accept and deliver arbitrary messages, if their first attempt to deliver fails, they switch to a "backup" server and try again immediately and then forget the whole thing. Clearly never heard of greylisting.

I warned them in 2006.

[Spazmania]

None of the developers spoke up and said, "Hey, this is a really bad idea!"

In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

http://bill.herrin.us/composer.html

In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

Re:I warned them in 2006.

[IamTheRealMike]

That's good page. However your definition of "spam" is not correct. Modern spam filters are trained based on what users report. Thus "spam" is by definition any mail which the majority of your recipients don't want, and click "report spam" on. It's got nothing to do with the total number of people who receive it.

Re:I warned them in 2006.

[Spazmania]

The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

Change we can believe in

[jimmy_dean]

This is definitely change we can all believe in. :p

A rookie mistake

[coryking]

Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

My hunch is an intern did this :-)

Re:A rookie mistake

[Stan+Vassilev]

[...] insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

There is no "From" parameter. It's called additional_headers which, yes, lets you include one or more raw headers, separated by newlines. There are plenty of higher-level API-s for PHP, but you chose to pass headers to the the raw API without validating. Have you heard this one: "a poor craftsman blames his tools"?

Re:A rookie mistake

[coryking]

That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

a poor craftsman blames his tools

A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a useful tool, but in hands of a novice it can lead to exactly the scenario in this article and *that* makes it a poor tool.

Re:A rookie mistake

[fractalus]

PHP being dangerous for novices doesn't make it a poor tool, it makes it a poor tool for novices. C is a useful tool too, and in many cases can be the best tool for the job, but in the hands of a novice it can be dangerous.

The problem isn't PHP specifically (because just about any web-oriented programming language can have similar problems) it's that there are lots of people interested in making dynamic web sites who don't understand the risks. Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people. This is a far different (and bigger) challenge than simply deploying a desktop application, but we still have scads of "tutorials" that treat security as an afterthought.

Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing. Think of it this way: "Hey Bob, while you're in that level 4 biohazard lab, why don't you check out this nifty tool I made. I'm pretty sure it won't damage your suit. What? No, I don't have any experience making bio lab tools. Or working in one. Does that matter?"

Re:A rookie mistake

[coryking]

Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

For example, if you search "PHP send mail", one of first hits you get has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

Re:A rookie mistake

[sg_oneill]

Speak for yourself. It was always obvious to me these stupid forms where far too dangerous to allow, and that was back in the mid 90s when we where first fucking around with CGI mail.

Don't assume other people share in your historical naivete.

Re:A rookie mistake

[uninformedLuddite]

Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people.

You've been spoofing statcounter again haven't you?

Fix the Problem

[davidshewitt]

The democrats.org technical support website doesn't have a captcha either. Maybe /.ing them with requests to fix this lack of security will raise their awareness. This sort of thing is unacceptable and needs to be fixed.

Their support website is: http://www.democrats.org/page/s/techproblems

Oh

[BCW2]

I thought it was just standard propaganda from them.

Silly me.

How can you tell?

[Punk+CPA]

Nearly everything coming out of Washington looks like a 419 scam anyway.

Re:Your official guide to the Jigaboo presidency

[yesteraeon]

Mod this down. 0 isn't low enough.

Have the ISP pull hte plug if they don't fix it...

[gabebear]

It appears their mail server is run by XO Communication

http://www.democrats.org/page/s/techproblems
http://www.xo.com/forms/Campaign/Care/ContactCustomerCare/ContactCustomerCare.aspx

Re:Liberals.

Maybe you see these problems on the democratic domain, because the conservatives in this country are still trying to figure out what the internet is.

http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html

http://www.youtube.com/watch?v=f99PcP0aFNE

Re: You may not even pay for Unemployment

[InvisiBill]

I think when I finally get back to work (probably January when managers get new budgets and fresh money), I'm going to refuse to pay the Unemployment. Why should I pay for a program that doesn't help me out when I need it?

In Michigan at least, employees don't pay for unemployment insurance, the employers do. Yes, in the end, everything comes out of our pockets in some way (i.e. they could pay you higher wages if they didn't have to pay for your unemployment insurance). However, you don't pay x% of your paycheck every week into Unemployment.

Oh the irony

[PHAEDRU5]

John McCain never left his email server open for this sort of exploit!

Re:Oh the irony

John McCain never left his email server open for this sort of exploit!

That's because carrier pigeons fight back.

They have a captcha now

[Mr.+Roadkill]

Mind you, it's being used by 419ers... they don't honestly believe that they'll keep 419ers out with a captcha, do they? These are the same people who'll cheerfully sit there sending mail out through hotmail accounts, so a captcha's not going to keep them out.

I guess politicians should forget to mention taxes

[davidwr]

With every get-tough-on-crime speech are these unwritten words:

"And because prisons and tracking and feeding of ex-offenders who can't find jobs because employers are needlessly scared costs money, please support me in my efforts to raise your taxes."

Empathy for Dolts

[Web+Goddess]

I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

I feel empathy for those that you smarter people scoff at. Be kind! It wasn't for us dolts you woudn't *be* smart, you'd just be average!

Wendy Northcutt, the Darwin Awards

spam

[hesaigo999ca]

spam,spam,spam,spam,spam,spam,spam,spam.....incredible spam, lalala la la la la lalalala....incredible spam...
(monty python short) gotta love spam...!

Finally fixed it

[OhHellWithIt]

They have at least fixed the lack of a captcha on the "Email a friend" page.

The root of what you are saying

[jDeepbeep]

So.... do you feel it is the responsibility of a programming language to protect you from your own blunders?

As of This Morning It Appears To Be Fixed

[noc007]

I've checked the offending page http://www.democrats.org/page/invite and they have added a CAPTCHA. Hopefully this fixes the issue.

And we want to trust them ...

[neonprimetime]

... to take control of the internet? They can't even handle a simple little website!