Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Use Holes In Democrats.org Security

Posted by Soulskill on from the hello-sir-madam dept.

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

11 of 129 comments (clear)

  1. Not really a hole, more like open barn door by HangingChad · · Score: 5, Insightful

    That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

    And, last I checked, the page was still up.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  2. So... by Anonymous Coward · · Score: 5, Funny

    Spammers are making liberal use of a democrat website?

  3. This has nothing to do with politics! by Zerbey · · Score: 4, Insightful

    Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

  4. Re:OK, come on by UltraAyla · · Score: 4, Insightful

    My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/

    There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

  5. Geniuses... by Anonymous Coward · · Score: 5, Insightful

    These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

  6. I bet lots of people complained. by khasim · · Score: 3, Insightful

    But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

    It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

  7. I warned them in 2006. by Spazmania · · Score: 5, Informative

    None of the developers spoke up and said, "Hey, this is a really bad idea!"

    In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

    In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

    http://bill.herrin.us/composer.html

    In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  8. A rookie mistake by coryking · · Score: 4, Insightful

    Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

    The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

    No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

    My hunch is an intern did this :-)

    1. Re:A rookie mistake by coryking · · Score: 3, Informative

      Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

      Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

      For example, if you search "PHP send mail", one of first hits you get has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

      The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

  9. How can you tell? by Punk+CPA · · Score: 3, Funny

    Nearly everything coming out of Washington looks like a 419 scam anyway.

  10. Re:OK, come on by Anonymous Coward · · Score: 3, Insightful

    Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.