Forgot your password?
typodupeerror
United States Democrats Security Spam IT Politics

Spammers Use Holes In Democrats.org Security 129

Posted by Soulskill
from the hello-sir-madam dept.
Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"
This discussion has been archived. No new comments can be posted.

Spammers Use Holes In Democrats.org Security

Comments Filter:
  • Someone please tell us how this problem with the democrats.org website must clearly be related to the impending socialist takeover of schools and soda machines. Certainly this is how Marxism takes root, by allowing 419 emails to propagate, right?
    • Re: (Score:2, Funny)

      by Nidi62 (1525137)
      If Democrats cant even design their website to keep people out or prevent people from doing whatever they want in it, how are they going to keep pedophiles out of our schools? Think of the children!
      • You're being facetious, but the government-run system really is a mess. I tried to file my biweekly claim for unemployment and it told me it's "inactive". Then I followed the instructions to reactivate it, and I was told I was ineligible because I haven't worked these last six months. Well of course I haven't worked. That's why I was on unemployment!

        Stupid, stupid government.

        I only got 4 months (April, May, June, July). Another engineering friend got 13 months - why am I being cutoff? :-(

    • Re: (Score:1, Troll)

      by funkatron (912521)
      At the very least this will give fox news some new material to work with. They need it after their recent run of substandard sketches about the NHS.
  • ha (Score:1, Funny)

    by Anonymous Coward

    Spamocrats

  • by HangingChad (677530) on Sunday August 30, 2009 @09:34AM (#29251061) Homepage

    That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

    And, last I checked, the page was still up.

    • by Dan541 (1032000)

      The page is up but not responding to well.

      I'm sure some /.ers will be adding to the abuse.

    • Re: (Score:3, Informative)

      by UltraAyla (828879)
      Solution: Use the website to fill up the sysadmin's box with requests that s/he add a captcha - that'll do it for sure! Right? Right?
    • by Barny (103770)

      Nah, its good programming. The design on the other hand, is another thing.

    • by khasim (1285) <brandioch.conner@gmail.com> on Sunday August 30, 2009 @10:49AM (#29251485)

      But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

      It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

    • Re: (Score:1, Troll)

      by isa-kuruption (317695)

      An open barn door... is a hole in the wall. Therefore, it's a hole.

      Stop trying to sugar coat the inability of Democrats to secure anything... our nation or their own mail server.

    • Re: (Score:3, Insightful)

      by ukyoCE (106879)

      Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

      The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

    • by Spazmania (174582) on Sunday August 30, 2009 @11:58AM (#29251923) Homepage

      None of the developers spoke up and said, "Hey, this is a really bad idea!"

      In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

      In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

      http://bill.herrin.us/composer.html [herrin.us]

      In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

      • That's good page. However your definition of "spam" is not correct. Modern spam filters are trained based on what users report. Thus "spam" is by definition any mail which the majority of your recipients don't want, and click "report spam" on. It's got nothing to do with the total number of people who receive it.

        • Re: (Score:3, Insightful)

          by Spazmania (174582)

          The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

      • They have at least fixed the lack of a captcha on the "Email a friend" page.
    • My university decided that it would open up its wireless, since the administration didn't want to increase IT funding, but it wanted to support iPhones. Anybody with a halfway decent understanding if IT knows it's a bad idea for the college to provide free unauthenticated WiFi anywhere on campus, but apparently no one put it in terms that convinced the board.

    • ... to take control of the internet? [slashdot.org] They can't even handle a simple little website!
  • ...fail!

  • So... (Score:5, Funny)

    by Anonymous Coward on Sunday August 30, 2009 @09:51AM (#29251133)

    Spammers are making liberal use of a democrat website?

  • It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.
    • You're not going to many page hits with an attitude like that.

      Won't someone think of the page hits!

    • Well, actually yeah it does. Democrats, and Republicans alike, have encouraged spammers by not pushing for serious spam legislation. I agree though, it's not a political story, but I love that a DNC website is being abused by spammers. I hope for a followup news story that says RNC owned phones are abused by telemarketers.

  • by Zerbey (15536) on Sunday August 30, 2009 @10:12AM (#29251259) Homepage Journal

    Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

    • I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

      One can only hope!

    • Re: (Score:3, Informative)

      by noc007 (633443)

      The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.

    • by Bourdain (683477)

      it is in major DNSBL (i.e. to test that, my fastmail.fm account blocked it and yahoo, of course, let it straight on through)

    • Empathy for Dolts (Score:2, Insightful)

      by Web Goddess (133348)

      I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

      See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

      I feel emp

  • Geniuses... (Score:5, Insightful)

    by Anonymous Coward on Sunday August 30, 2009 @10:16AM (#29251297)

    These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

    • Re: (Score:1, Troll)

      by Keen Anthony (762006)

      You realize that democrat.org isn't a government organization, right? You realize that it's jump point to the DNC, which is a political party, and not a government organization, right? And you realize that the very people who would take control of the internet away from private networks would not be representatives of a political party, but the military, right? Even for a troll, you're stupid.

  • Someone write an email that sends out the "new democratic party platform". Feel free to copy it from the Republicans site. Then send it to all the known big donors. I figure 10,000 emails and five minutes later and this hole will be closed. Politicians (of all persuasions) only respond to two things and reason is not one of them. Votes and money. Threaten those and they'll be all over this. =)
  • by andy1307 (656570) on Sunday August 30, 2009 @10:46AM (#29251465)
    It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.
    • by La Gris (531858)

      More like: "It's Not A Bug - It's A Feature."

      By the way, It does not even wait between retries and it may as well fail completely in the void after the second one.

      Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mailservices.democrats.org[208.69.4.29]
      Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mail-fallback.democrats.org[208.69.4.31]

    • by Culture20 (968837)

      It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

      The new Democratic platform: Deposed Nigerian monarch money and bigger penises for everyone!
      I may vote next election.


  • Amazing layers of stupidity....

    Not only will they accept and deliver arbitrary messages, if their first attempt to deliver fails, they switch to a "backup" server and try again immediately and then forget the whole thing. Clearly never heard of greylisting.
  • This is definitely change we can all believe in. :p

  • A rookie mistake (Score:5, Insightful)

    by coryking (104614) * on Sunday August 30, 2009 @12:09PM (#29252021) Homepage Journal

    Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

    The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

    No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

    My hunch is an intern did this :-)

    • [...] insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

      There is no "From" parameter. It's called additional_headers which, yes, lets you include one or more raw headers, separated by newlines. There are plenty of higher-level API-s for PHP, but you chose to pass headers to the the raw API without validating. Have you heard this one: "a poor craftsman blames his tools"?

      • Re: (Score:3, Insightful)

        by coryking (104614) *

        That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

        a poor craftsman blames his tools

        A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a

        • by fractalus (322043)

          PHP being dangerous for novices doesn't make it a poor tool, it makes it a poor tool for novices. C is a useful tool too, and in many cases can be the best tool for the job, but in the hands of a novice it can be dangerous.

          The problem isn't PHP specifically (because just about any web-oriented programming language can have similar problems) it's that there are lots of people interested in making dynamic web sites who don't understand the risks. Building and deploying dynamic web sites means subjecting them

          • Re:A rookie mistake (Score:4, Informative)

            by coryking (104614) * on Sunday August 30, 2009 @02:49PM (#29253433) Homepage Journal

            Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

            Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

            For example, if you search "PHP send mail", one of first hits you get [about.com] has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

            The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

          • Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people.

            You've been spoofing statcounter again haven't you?

    • by sg_oneill (159032)

      Speak for yourself. It was always obvious to me these stupid forms where far too dangerous to allow, and that was back in the mid 90s when we where first fucking around with CGI mail.

      Don't assume other people share in your historical naivete.

  • The democrats.org technical support website doesn't have a captcha either. Maybe /.ing them with requests to fix this lack of security will raise their awareness. This sort of thing is unacceptable and needs to be fixed.

    Their support website is: http://www.democrats.org/page/s/techproblems [democrats.org]

    • Mind you, it's being used by 419ers... they don't honestly believe that they'll keep 419ers out with a captcha, do they? These are the same people who'll cheerfully sit there sending mail out through hotmail accounts, so a captcha's not going to keep them out.
  • Oh (Score:3, Insightful)

    by BCW2 (168187) on Sunday August 30, 2009 @12:37PM (#29252239) Journal
    I thought it was just standard propaganda from them.

    Silly me.
  • by Punk CPA (1075871) <mitchtownsendNO@SPAMhotmail.com> on Sunday August 30, 2009 @12:48PM (#29252339)
    Nearly everything coming out of Washington looks like a 419 scam anyway.
  • by PHAEDRU5 (213667) <instascreed@@@gmail...com> on Sunday August 30, 2009 @08:11PM (#29255771) Homepage

    John McCain never left his email server open for this sort of exploit!

    • Re: (Score:1, Funny)

      by Anonymous Coward

      John McCain never left his email server open for this sort of exploit!

      That's because carrier pigeons fight back.

  • spam,spam,spam,spam,spam,spam,spam,spam.....incredible spam, lalala la la la la lalalala....incredible spam...
    (monty python short) gotta love spam...!

  • I've checked the offending page http://www.democrats.org/page/invite [democrats.org] and they have added a CAPTCHA. Hopefully this fixes the issue.

This screen intentionally left blank.

Working...