Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Use Holes In Democrats.org Security

Posted by Soulskill on from the hello-sir-madam dept.

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

24 of 129 comments (clear)

  1. Not really a hole, more like open barn door by HangingChad · · Score: 5, Insightful

    That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

    And, last I checked, the page was still up.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:Not really a hole, more like open barn door by UltraAyla · · Score: 2, Informative

      Solution: Use the website to fill up the sysadmin's box with requests that s/he add a captcha - that'll do it for sure! Right? Right?

    2. Re:Not really a hole, more like open barn door by ukyoCE · · Score: 2, Insightful

      Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

      The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

  2. Re:OK, come on by Nidi62 · · Score: 2, Funny

    If Democrats cant even design their website to keep people out or prevent people from doing whatever they want in it, how are they going to keep pedophiles out of our schools? Think of the children!

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  3. So... by Anonymous Coward · · Score: 5, Funny

    Spammers are making liberal use of a democrat website?

  4. Why is this tagged "politics"? by mantis2009 · · Score: 2, Insightful

    It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.

  5. This has nothing to do with politics! by Zerbey · · Score: 4, Insightful

    Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

    1. Re:This has nothing to do with politics! by noc007 · · Score: 2, Informative

      The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.

  6. Re:OK, come on by UltraAyla · · Score: 4, Insightful

    My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/

    There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

  7. Geniuses... by Anonymous Coward · · Score: 5, Insightful

    These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

  8. It's not a hole by andy1307 · · Score: 2, Funny

    It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

  9. I bet lots of people complained. by khasim · · Score: 3, Insightful

    But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

    It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

  10. I warned them in 2006. by Spazmania · · Score: 5, Informative

    None of the developers spoke up and said, "Hey, this is a really bad idea!"

    In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

    In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

    http://bill.herrin.us/composer.html

    In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:I warned them in 2006. by Spazmania · · Score: 2, Insightful

      The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  11. A rookie mistake by coryking · · Score: 4, Insightful

    Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

    The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

    No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

    My hunch is an intern did this :-)

    1. Re:A rookie mistake by coryking · · Score: 2, Insightful

      That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

      a poor craftsman blames his tools

      A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a useful tool, but in hands of a novice it can lead to exactly the scenario in this article and *that* makes it a poor tool.

    2. Re:A rookie mistake by coryking · · Score: 3, Informative

      Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

      Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

      For example, if you search "PHP send mail", one of first hits you get has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

      The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

  12. Oh by BCW2 · · Score: 2, Insightful

    I thought it was just standard propaganda from them.

    Silly me.

    --
    Professional Politicians are not the solution, they ARE the problem.
  13. How can you tell? by Punk+CPA · · Score: 3, Funny

    Nearly everything coming out of Washington looks like a 419 scam anyway.

  14. Re:OK, come on by Anonymous Coward · · Score: 3, Insightful

    Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.

  15. Re:Liberals. by Anonymous Coward · · Score: 2, Insightful

    Maybe you see these problems on the democratic domain, because the conservatives in this country are still trying to figure out what the internet is.

    http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html

    http://www.youtube.com/watch?v=f99PcP0aFNE

  16. Re: You may not even pay for Unemployment by InvisiBill · · Score: 2, Informative

    I think when I finally get back to work (probably January when managers get new budgets and fresh money), I'm going to refuse to pay the Unemployment. Why should I pay for a program that doesn't help me out when I need it?

    In Michigan at least, employees don't pay for unemployment insurance, the employers do. Yes, in the end, everything comes out of our pockets in some way (i.e. they could pay you higher wages if they didn't have to pay for your unemployment insurance). However, you don't pay x% of your paycheck every week into Unemployment.

  17. Oh the irony by PHAEDRU5 · · Score: 2, Funny

    John McCain never left his email server open for this sort of exploit!

    --
    668: Neighbour of the Beast
  18. Empathy for Dolts by Web+Goddess · · Score: 2, Insightful

    I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

    See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

    I feel empathy for those that you smarter people scoff at. Be kind! It wasn't for us dolts you woudn't *be* smart, you'd just be average!

    Wendy Northcutt, the Darwin Awards