However, if you want to receive your own personal spam, the following strategies may help:
Post often to Usenet, and use your real e-mail address
Use your real email address when registering to web sites
Post to mailing lists whose archives do not obfuscate your e-mail address
Report bugs about KDE, and use your real address to do so
Write a Perl module, and publish it on CPAN's Perl Pause.
Put your real, unobfuscated e-mail address on your website (or into guestbooks at other websites)
open an MS hotmail account
when getting spam, always click on the removeme link
when reading your spam, be sure to have all the nice features of your e-mail program turned on: HTML mail, HTML image display (very important), Javascript, ActiveX,... Preferably use Outlook to browse your spam.
The site was Torrentse.cx (a name that is program...), and the link pointed to Tubgirl (btw, the tubgirl domain name is hosted at some kind of redirector farm, and in light of my previous comments about SQL injection it is very astonishing that the other sites of that redirector farm don't show similarly disgusting pictures... but I digress...)
Predictably enough, the link was removed from the slashdot story as soon as it became apparent what had happened. The swift action of the editors forestalled most of the expected fun: There were only a handful of comments about the picture...
If the webmaster of torrentse.cx had been smarter, he'd have shown the normal contents to anybody coming from a Slashdot-owned IP, or he could have showed the tubgirl only for one visit in ten, or whatever...
It's been done, although that wasn't the submitter's fault, but rather a webmaster that didn't appreciate being Slashdotted.
Groovy! I must have missed this memorable event. Do you still have any pointers (which day it happened, or some unique keywords in the story to search for...)
As far as I remember, it's the magic_quotes_gpc setting in php.ini, and most distributions ship this set to On. However, if the application program does know what it is doing (by using bind variables, or whatever), this magic_quotes_gpc setting may get into the way, and so the admin might have turned it off. Of course, even in that situation, it's better to turn it off locally (in the VirtualHosts clause, for example) just in case there are several apps on the system, some of which who are insecure, and some which are secure.
You forgot that we are talking about spammers here. And Windows administrators. Neither of which are known for their smartness.
they have most likely configured their server to automatically replace a single quote (') in a query string with two single quotes (''),
You'd have a case if that was a PHP server. By default, PHP escapes all input (i.e. ' is replaced with \'), which pretty much defeats most of such attacks. However, if there are some places where the web-app expects numbers (such as affiliate id's) it may still be vulnerable (no need to close a quote to slip SQL code into a number).
which will escape it to MSSQL server.
With ASP, the admin has to specifically set up his rig to do this escaping. With PHP, it is the default setting. However, an admin dumb enough to run sequel sewer in the first place would probably not even know about the issue.
Which means no matter how many single quotes you type, you won't be able to doctor the query. Sorry.
Try it out. Just search for aspx news.admin.net-abuse.sightings on google groups and try out the links. Sort by date, or you'll find that most spams are too old and the site already has been closed. Or if you are in the habit of keeping your spam, just search your own collection for.aspx links. You'd be astonished at how many of these the SQL injection works! (I'd say one out of 3). However, for some weird reason, probability of success is much higher for.aspx than it is for.asp (For.asp it indeed takes quite a bit of patience to find anything worthwhile...)
As the speakers ran through their PowerPoint presentations, the room hummed with the tip-tap of IM chatter.
Let's see, there is another use for these laptops: blue screen the speaker's Windows box, or better, change its desktop background to somethin, uhmmm, more interesting. Should teach him to use Powerpoint!
Also useful if the speaker accidentally types passwords in the wrong field (visible) during a demo: now you can make use of these passwords during the lecture, before the speaker has a change to change them to something else!
Slashdot has implemented a number of features to try and avoid this. (i.e. listing the domain name beside links) I guess people are still sucessful sometimes, though.
Slipping in goatse links is easy. Too easy even. There are a number of redirector services (shorl.com) which allow you to hide the URL, and even
most
mainstream
sites do have some
way to
redirect.
No, simply slipping in goatse into a comment is so easy that it has become uninteresting. The real art now is to have a goatsy comment moderated up rather than down as the usual troll or flamebait. Seems so far it is working well (+4, and counting...)
HArder to do to a member of government, espicaly one from Rusia. Any time you deal with a large govenment you deal with latge resources adn the law on your side.
It's crazy how many spam websites are running on IIS with.asp scripts (or even better:.aspx!) as a
frontend, and Microsoft Sequel Server as a backend.
Just type a spare single quote into the "remove me from your list" box, and watch as parts of the SQL query are displayed. Experiment a bit, and transform this into a query that clears the entire subscribers list, or that changes their spam messages to something funny, or that keeps the subscriber list but replaces all e-mail addresses by their own whois contact (or better: their upstream provider's whois..), etc.
For starters, the following string often removes the entire list when entered into the remove me box:
' or '' = '
(that's two single quotes between the or and the = sign).
If the site has an "affiliate program" (look around a bit...), the same string entered as a user name into the affiliate programme's login box might let you in, with a little bit of luck. If not, try the following instead (again, there are only single quotes in the string, no double quotes):
' or ''='' or ''='
If it still doesn't help, try to repeat the same string in the password box.
If still not ok, you may need to use a union statement:
x' union all select top 1 null,null,null from sysobjects;--
Start with one null, and keep adding more until the "parameter number mismatch" error disappears. Patience may be needed, certain login scripts require more than 40 nulls! Then start replacing the nulls with your desired password string, and attempt to find a combination which doesn't give you a type mismatch error.
Example:
x' union all select 'zozo', null, 'zozo', null
Then enter zozo into the password box. With a little bit of luck, this method may let you in.
Once you're in, you've access to the affiliate's (i.e., the spammer's) account:
home address: always nice for a baseball bat expedition, or to pull an Alan Ralsky on the spammer.
phone number: on your way to work, give your friend a call! One from each phone booth that you encounter! Write the number on bathroom stalls! Post it to slashdot!
bank account number: well, just change it to your own!
social security number: post it to as much places as you can
...
The benefit of such actions is twofold: not only does it teach the spammer not to spam, but it also tells him that Windows (and especially aspx + Sequel Sewer) is not a very secure technology.
hmm... you know... I could probably subpoena and sue my university. I gave them a single copy of my papers. I guess I agreed to it in fair exchange for a passing grade, but...
Does this mean that the university is in violation of the DMCA if the student fails his year? Interesting angle...
Just make sure you don't mail one of your own turds. Y'a know, the DNA in it can identify you. Better use a small shovel and pager bag, and pick up a nice dog turd off the sidewalk.
Probably the guy put up the Scottish flag after he had to replace his tyres for the sixth time in 3 weeks. And all those scratches in the paintjob didn't look nice either.
- Extended warranties. $19 for a warranty on a $99 television from Best Buy? (If the TV does break, it will almost certainly happen before the manufacturer's warranty expires anyway. TV's either break right away or they last forever)
Unless they are specifically engineered to break exactly one day after the warranty expires. Or is that just Murphy's law?
News flash: Web-based technologies change monthly, if not weekly. If we waited for them all to mature, we'd still be viewing Lynx compatible pages.
You say this as if it were a disadvantage. Do you also consider access ramps near buildings to be eye-sores, and do you routinely park your cark on the spots reserved for the disabled?
Lemme tell you: lot's of people don't use lynx by choice, but because they have a disability (blindness) that prevents them from using other browser. Text-only browsers may be used together with a braille line, or a text-to-speech synthesizer to enable the blind to experience the web.
Franky, web designers who pride themselves that their pages are not lynx compatible are dorks.
Also, those of us who build for the web have to deal with an incredibly variable environment (OS, browser, connect speed, screen size, language, etc).
Rather than building specific versions of your page for your target, think of building target-independant pages. Stick to standards. Stick to "minimality principle": If all you want are buttons with pretty pictures, uses gif images, rather than flash animations. Oh, and add an ALT tag too, for the sake of your blind visitors.
Idealism is nice, but standing on a soapbox screaming 'Be Patient!' is not really practical given the tech-o-the-week world that the web is right now.
So, just explain to your management that your "flashy" website exposes your company to multi-million dollar A.D.A. lawsuits. Maybe then they'll understand better.
In short, the criminal stuff will likely not suffer, but the civil stuff will tend to age more before being dealt with. In some cases, it will depend on your district. For instance, if you are in a hot asbestos district, the civil dockets are terrible. My local federal court is in decent shape, but if a judge dies unexpectedly, we could be screwed.
So, why are all you people so worried? Just throw the damn letter into the trash, and maybe ten years later the court will have time to hear the matter. Still ten years later, maybe, they will take a decision. And maybe 20 years may have been enough that Direct TV may have gone out of business, or has been bought up by a competitor, or has felt that pursuing those suits is not worthwhile that public relations ill-will that they generate. Or 20 years will have been enough that the judge handling your case has retired, or has croaked.
Slashdot Mirror
If you need samples, you can see enough of them in the Usenet newsgroup news.admin.net-abuse.sightings .
However, if you want to receive your own personal spam, the following strategies may help:
Hey, it's a wardriving machine!
No, this is real-life flashmobbing.
The site was Torrentse.cx (a name that is program...), and the link pointed to Tubgirl (btw, the tubgirl domain name is hosted at some kind of redirector farm, and in light of my previous comments about SQL injection it is very astonishing that the other sites of that redirector farm don't show similarly disgusting pictures... but I digress...)
Predictably enough, the link was removed from the slashdot story as soon as it became apparent what had happened. The swift action of the editors forestalled most of the expected fun: There were only a handful of comments about the picture...
If the webmaster of torrentse.cx had been smarter, he'd have shown the normal contents to anybody coming from a Slashdot-owned IP, or he could have showed the tubgirl only for one visit in ten, or whatever...
Groovy! I must have missed this memorable event. Do you still have any pointers (which day it happened, or some unique keywords in the story to search for...)
You forgot that we are talking about spammers here. And Windows administrators. Neither of which are known for their smartness.
they have most likely configured their server to automatically replace a single quote (') in a query string with two single quotes (''),
You'd have a case if that was a PHP server. By default, PHP escapes all input (i.e. ' is replaced with \'), which pretty much defeats most of such attacks. However, if there are some places where the web-app expects numbers (such as affiliate id's) it may still be vulnerable (no need to close a quote to slip SQL code into a number).
which will escape it to MSSQL server.
With ASP, the admin has to specifically set up his rig to do this escaping. With PHP, it is the default setting. However, an admin dumb enough to run sequel sewer in the first place would probably not even know about the issue.
Which means no matter how many single quotes you type, you won't be able to doctor the query. Sorry.
Try it out. Just search for aspx news.admin.net-abuse.sightings on google groups and try out the links. Sort by date, or you'll find that most spams are too old and the site already has been closed. Or if you are in the habit of keeping your spam, just search your own collection for .aspx links. You'd be astonished at how many of these the SQL injection works! (I'd say one out of 3). However, for some weird reason, probability of success is much higher for .aspx than it is for .asp (For .asp it indeed takes quite a bit of patience to find anything worthwhile...)
Let's see, there is another use for these laptops: blue screen the speaker's Windows box, or better, change its desktop background to somethin, uhmmm, more interesting. Should teach him to use Powerpoint!
Also useful if the speaker accidentally types passwords in the wrong field (visible) during a demo: now you can make use of these passwords during the lecture, before the speaker has a change to change them to something else!
Slipping in goatse links is easy. Too easy even. There are a number of redirector services (shorl.com) which allow you to hide the URL, and even most mainstream sites do have some way to redirect.
No, simply slipping in goatse into a comment is so easy that it has become uninteresting. The real art now is to have a goatsy comment moderated up rather than down as the usual troll or flamebait. Seems so far it is working well (+4, and counting...)
Next challenge: slip one into a story submission!
Not if the spammer is an American.
It's crazy how many spam websites are running on IIS with .asp scripts (or even better: .aspx!) as a
frontend, and Microsoft Sequel Server as a backend .
Just type a spare single quote into the "remove me from your list" box, and watch as parts of the SQL query are displayed. Experiment a bit, and transform this into a query that clears the entire subscribers list, or that changes their spam messages to something funny, or that keeps the subscriber list but replaces all e-mail addresses by their own whois contact (or better: their upstream provider's whois..), etc.
For starters, the following string often removes the entire list when entered into the remove me box:
(that's two single quotes between the or and the = sign).
If the site has an "affiliate program" (look around a bit...), the same string entered as a user name into the affiliate programme's login box might let you in, with a little bit of luck. If not, try the following instead (again, there are only single quotes in the string, no double quotes):
If it still doesn't help, try to repeat the same string in the password box.
If still not ok, you may need to use a union statement:
Start with one null, and keep adding more until the "parameter number mismatch" error disappears. Patience may be needed, certain login scripts require more than 40 nulls! Then start replacing the nulls with your desired password string, and attempt to find a combination which doesn't give you a type mismatch error.Example:
Then enter zozo into the password box. With a little bit of luck, this method may let you in.
Once you're in, you've access to the affiliate's (i.e., the spammer's) account:
- home address: always nice for a baseball bat expedition, or to pull an Alan Ralsky on the spammer.
- phone number: on your way to work, give your friend a call! One from each phone booth that you encounter! Write the number on bathroom stalls! Post it to slashdot!
- bank account number: well, just change it to your own!
- website URL: change it to you know what
- social security number: post it to as much places as you can
- ...
The benefit of such actions is twofold: not only does it teach the spammer not to spam, but it also tells him that Windows (and especially aspx + Sequel Sewer) is not a very secure technology.Have fun!
Does this mean that the university is in violation of the DMCA if the student fails his year? Interesting angle...
Yes, they do.
Oh, nevermind.
It's a dildo, stupid.
However, the pilots' jokes and jabs at each other are left in, and they can be much scarier than any noises the passengers could make...
Just make sure you don't mail one of your own turds. Y'a know, the DNA in it can identify you. Better use a small shovel and pager bag, and pick up a nice dog turd off the sidewalk.
Probably the guy put up the Scottish flag after he had to replace his tyres for the sixth time in 3 weeks. And all those scratches in the paintjob didn't look nice either.
Unless they are specifically engineered to break exactly one day after the warranty expires. Or is that just Murphy's law?
That's a federal offense. Quick, somebody call the cops!
You say this as if it were a disadvantage. Do you also consider access ramps near buildings to be eye-sores, and do you routinely park your cark on the spots reserved for the disabled?
Lemme tell you: lot's of people don't use lynx by choice, but because they have a disability (blindness) that prevents them from using other browser. Text-only browsers may be used together with a braille line, or a text-to-speech synthesizer to enable the blind to experience the web.
Franky, web designers who pride themselves that their pages are not lynx compatible are dorks.
Also, those of us who build for the web have to deal with an incredibly variable environment (OS, browser, connect speed, screen size, language, etc).
Rather than building specific versions of your page for your target, think of building target-independant pages. Stick to standards. Stick to "minimality principle": If all you want are buttons with pretty pictures, uses gif images, rather than flash animations. Oh, and add an ALT tag too, for the sake of your blind visitors.
Idealism is nice, but standing on a soapbox screaming 'Be Patient!' is not really practical given the tech-o-the-week world that the web is right now.
So, just explain to your management that your "flashy" website exposes your company to multi-million dollar A.D.A. lawsuits. Maybe then they'll understand better.
So, why are all you people so worried? Just throw the damn letter into the trash, and maybe ten years later the court will have time to hear the matter. Still ten years later, maybe, they will take a decision. And maybe 20 years may have been enough that Direct TV may have gone out of business, or has been bought up by a competitor, or has felt that pursuing those suits is not worthwhile that public relations ill-will that they generate. Or 20 years will have been enough that the judge handling your case has retired, or has croaked.
Chill out, time is on your side!
One hit wonder? Nena hat lot's of other successes too: Leuchtturm, Irgendwie, irgendwo, irgendwann (Anyplace, anywhere, anytime), ...
Btw, for some weird reason, they're now remakeing these old songs, and playing them on the radio all the time...