Spammers Use Holes In Democrats.org Security

Attila Dimedici writes "According to Cloudmark, 419 spammers are using the democrats.org website to relay email and bypass spam filters. 'The abuse, which dates back at least to the beginning of this month, helps evade filters that internet service providers employ to block the messages. ... The messages were sent courtesy of this page, which allows anyone with an internet connection to send emails. The PHP script employs no CAPTCHA or other measure to help ensure there is a real human being behind each email that gets funneled through the service. The service allows messages to be sent to 10 addresses at a time and even provides a way for people to import contacts they have stored in their address book.'"

OK, come on

[damn_registrars]

Someone please tell us how this problem with the democrats.org website must clearly be related to the impending socialist takeover of schools and soda machines. Certainly this is how Marxism takes root, by allowing 419 emails to propagate, right?

Re:

[Nidi62]

If Democrats cant even design their website to keep people out or prevent people from doing whatever they want in it, how are they going to keep pedophiles out of our schools? Think of the children!

Re:

[Anonymous Coward]

Modded you Troll because you can't spell "you're".
 
Furthermore, that joke is old.

Re:

[commodore64_love]

With that kind of talk you'll never get elected to office. It's much more effective to use scare tactics like, "There are sex offenders everywhere and we must crack down. I'll make sure to enact new laws that give sex offenders lifelong sentences, such that they will be tracked by the government until the day they die!"

That's how you win votes.

I guess politicians should forget to mention taxes

[davidwr]

With every get-tough-on-crime speech are these unwritten words:

"And because prisons and tracking and feeding of ex-offenders who can't find jobs because employers are needlessly scared costs money, please support me in my efforts to raise your taxes."

Re:

[commodore64_love]

You're being facetious, but the government-run system really is a mess. I tried to file my biweekly claim for unemployment and it told me it's "inactive". Then I followed the instructions to reactivate it, and I was told I was ineligible because I haven't worked these last six months. Well of course I haven't worked. That's why I was on unemployment!

Stupid, stupid government.

I only got 4 months (April, May, June, July). Another engineering friend got 13 months - why am I being cutoff? :-(

Re:OK, come on

[UltraAyla]

My goodness. I believe the reason you can't collect benefits is because most states only provide unemployment insurance for 6 months after the termination of employment. That might not be entirely correct, but it's some period of time. Secondly, The "government compassion" you're whining about was actually doubled in the stimulus bill. The bill vastly expanded unemployment benefits both in terms of length of time, amount of money provided, and tax breaks for the unemployed. See http://employeeissues.com/blog/arra-unemployment-assistance/ [employeeissues.com]

There's your frickin' government compassion. And now you want to refuse to pay into it? Conservatives who utilize government services then complain about how they shouldn't exist at all kill me. Either advocate for smaller government OR take the benefits. Don't do both. I just can't believe it. This is the type of crap that brings our country down.

Re:

[UltraAyla]

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like being forced to pay Microsoft for Windows 7, but they never bother to send it to me.

You could have received benefits (and it sounds like you did) during the period of time after termination of work that the government is financially able to help you. That period is now over. It's not a flaw in the program - if more money is paid into the program, they can fund more people for longer. Many people contend it's short in

Re:

[religious freak]

OMG... +1 for you. Sucking on the teet of gov't, missing a deadline, complaining how the benefits weren't given to her AND saying she's a libertarian... oh, and she doesn't want to pay into the system when she finally DOES find a job. HEAD.. GOING.. TO.. EXPLODE..

Hopefully she is just young and not actually retarded... youth I can excuse.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[foniksonik]

how long did you work at your last job? you may not have qualified for longer benefits. I went on unemployment about 5 years ago after a 4 year employment. I got 9 months of benefits. that was the maximum at the time. it was $1650 per month also the max at the time.

Re:

[religious freak]

UltraAyla is completely right sweetheart. Your thoughts are very inconsistent. Please review them when the economy sucks less and you find a job. I'm not trolling, the economy really sucks - seriously, and I empathize.

But claiming to be Libertarian AND complaining about gov't not helping are mutually exclusive items.

Re:

[Keen Anthony]

I think the larger point that's being made is that the most vocal opponents of tax financed social welfare programs often use very heated and dangerous language to frame things like welfare and government health insurance as communist and anti-American, while saying that proponents are evil liberal communists "democrats", and that recipients are stupid and lazy.

Many feel that these programs would run more efficiently but for the net effect of tax dodgers and the political pressure, opponents put on anyone t

Re:

[uninformedLuddite]

If I can't even get an unemployment check, how am I supposed to get help if I have breast cancer?

Get a man to pay for it?

Re:

[GodfatherofSoul]

You want to understand the problem with conservatives? Craig T. Nelson's words sum it up perfectly:

"I've been on food stamps and welfare. Anybodyï help me out? No."

Re:

[commodore64_love]

>>>And now you want to refuse to pay into it?

Why should I pay for a program that claims I'm ineligible to receive benefits? That's like paying Microsoft for Windows 7, but they never bother to send it to me. (Or worse - they give me Vista instead.) The purpose of these "safety net" programs is to be there when people need them, but it's not there, then that's fraud. Like what Bernie Madoff did.

Re: You may not even pay for Unemployment

[InvisiBill]

I think when I finally get back to work (probably January when managers get new budgets and fresh money), I'm going to refuse to pay the Unemployment. Why should I pay for a program that doesn't help me out when I need it?

In Michigan at least, employees don't pay for unemployment insurance, the employers do. Yes, in the end, everything comes out of our pockets in some way (i.e. they could pay you higher wages if they didn't have to pay for your unemployment insurance). However, you don't pay x% of your paycheck every week into Unemployment.

Re:

[psm321]

If you actually want help and aren't just trolling, call your local state (not federal) representative. They're very helpful in sorting out stupid issues like this.

Re:

[commodore64_love]

[correction] I only got [4] months (April, May, June, July) - why am I being cutoff??? It's supposed to last longer than that. A friend of mine received unemployment for 13 months and we both live within the same state.

Grrr.

Sorry. Obviously I'm very very angry right now. I was counting on that check carrying me until January and now suddenly it's stopped for no apparent reason. I paid $19,500 in taxes last year. I've done my part and now for the government to turn its back on me is completely una

Re:

[Anonymous Coward]

Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass and finding another job. Heaven forbid you actually use unemployment as a bridge to finding new employment. No, you should be able to sit on your ass and collect it until the same people who laid you off decide that maybe they can afford you again for a short time? Come on.

Re:

[Cstryon]

In his defense, I have been actively searching for a Job for 6 months, and only JUST scored one. My brother who is just as qualified as I am, can't get a job at McDonalds, because of this economic crisis you may have heard of.

I may not know the numbers, and I may not know why times are bad, but some of us experience it first hand.
If I put a huge chunk of money into a pot, money that I can't choose to put in there or not, I better damn well be able to pull that money out for months at a time w

Re:

[commodore64_love]

>>>Waiting 9 months until you might get a job back in January is a pretty shitty reason for not getting off your ass

Go sit on your finger and swivel on it til you squeal like a pig*, you anonymous coward. I've actually had 3 interviews over those *7* months, and in every case it's the same - they hire someone else. In my most recent interview they refused to hire me because they were looking for a C# programmer and I "only" know C++.

Yes I'm serious. But that's the nature of the market. When you

Re:

[hmar]

Don't know about your state, but in mine you are required to put in 3 job applications per week while collecting unemployment. If you only put in three in 7 months, that may be why you aren't getting your check any more.

Re:

[michaelhood]

I paid $19,500 in taxes last year. I've done my part and now for the government to turn its back on me is completely unacceptable.

Um, income taxes aren't to fund unemployment.

Re:

[SL Baur]

Take your anger and shove it up your ass. $19K in taxes?

Um, that's a lot more in income taxes than many if not most USians pay. How about if they just refund it to him?

Re:

[commodore64_love]

>>>$19K is a lot more income taxes than many if not most USians pay. How about if they just refund it to him?

A year on unemployment would be equivalent to refunding the Taxes I paid on April 15. Of course what I received so far (about $7000) is far short of the amount I paid. I would have been better off to tell the IRS, "Sorry I lost my job," and keep the $19,000 rather than mail-in that check.

What I don't understand is why they make us pay income tax on unemployment checks. Or social security

Re:

[SL Baur]

What I don't understand is why they make us pay income tax on unemployment checks. Or social security checks. It would make more sense to make that money tax exempt, rather than hand the money to the citizen, and then demand 20% of it back???

Making it taxable income qualifies you for income tax credits. If you collect it between high paying jobs, it also allows them to Tax The Filthy Rich, which would be you, apparently.

Re:

[funkatron]

At the very least this will give fox news some new material to work with. They need it after their recent run of substandard sketches about the NHS.

ha

[Anonymous Coward]

Spamocrats

Not really a hole, more like open barn door

[HangingChad]

That wasn't so much a security hole as just bad programming. The equivalent of not merely leaving the barn door open, but designing the barn with no doors. Who thought that was a good plan? None of the developers spoke up and said, "Hey, this is a really bad idea!"

And, last I checked, the page was still up.

Re:

[Dan541]

The page is up but not responding to well.

I'm sure some /.ers will be adding to the abuse.

Re:

[UltraAyla]

Solution: Use the website to fill up the sysadmin's box with requests that s/he add a captcha - that'll do it for sure! Right? Right?

Re:

[Barny]

Nah, its good programming. The design on the other hand, is another thing.

I bet lots of people complained.

[khasim]

But somewhere in the line there was an executive/manager who said "there isn't a problem" or "spammers won't bother with us" or some such.

It's very difficult to explain a problem BEFORE it happens to someone who has a vested interest in not understanding the issue.

Re:

[isa-kuruption]

An open barn door... is a hole in the wall. Therefore, it's a hole.

Stop trying to sugar coat the inability of Democrats to secure anything... our nation or their own mail server.

Re:

[ukyoCE]

Yeah. It's pretty standard for websites to allow e-mail to an arbitrary address. Every time you sign up for a website, they send an e-mail to an arbitrary address.

The difference is every other website sends a FORM LETTER to the address. Letting you type in a message (and especially making it the entirety or bulk of the e-mail) is what turned this into a stupid idea. Easy to fix too, if they just get rid of the "type your message here" box and do a form letter instead.

I warned them in 2006.

[Spazmania]

None of the developers spoke up and said, "Hey, this is a really bad idea!"

In point of fact, I spoke up. Loudly. And eventually resigned when the problems were not adequately addressed.

In August 2006 I wrote a white paper detailing the issues, including the "mail your friends" code that the invite URL falls under:

http://bill.herrin.us/composer.html [herrin.us]

In fairness, the director of technology at the time no longer works for the DNC. The current guy inherited the problem.

Re:

[IamTheRealMike]

That's good page. However your definition of "spam" is not correct. Modern spam filters are trained based on what users report. Thus "spam" is by definition any mail which the majority of your recipients don't want, and click "report spam" on. It's got nothing to do with the total number of people who receive it.

Re:

[Spazmania]

The problem defines the tool, not the other way around. The trained Bayesian filter is one of many tools for filtering spam and other undesired mail. But spam is not defined as "that which the Bayesian filter detects." Nor is all undesirable mail spam; spam is only a subset of undesirable email.

Finally fixed it

[OhHellWithIt]

They have at least fixed the lack of a captcha on the "Email a friend" page.

Re:

[FlyingBishop]

My university decided that it would open up its wireless, since the administration didn't want to increase IT funding, but it wanted to support iPhones. Anybody with a halfway decent understanding if IT knows it's a bad idea for the college to provide free unauthenticated WiFi anywhere on campus, but apparently no one put it in terms that convinced the board.

And we want to trust them ...

[neonprimetime]

... to take control of the internet? [slashdot.org] They can't even handle a simple little website!

Epic...

[shentino]

...fail!

So...

[Anonymous Coward]

Spammers are making liberal use of a democrat website?

Why is this tagged "politics"?

[mantis2009]

It's not like the Democratic party has a policy of encouraging spammers, while the Green party argues for locking up people who send unsolicited emails. This isn't a political story, folks.

Re:

[Clover_Kicker]

You're not going to many page hits with an attitude like that.

Won't someone think of the page hits!

Re:

[Keen Anthony]

Well, actually yeah it does. Democrats, and Republicans alike, have encouraged spammers by not pushing for serious spam legislation. I agree though, it's not a political story, but I love that a DNC website is being abused by spammers. I hope for a followup news story that says RNC owned phones are abused by telemarketers.

This has nothing to do with politics!

[Zerbey]

Just another clueless web designer putting up an open relay form. I thought I'd seen the last of these back in the 1990s! I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

Re:

[cyberstealth1024]

I'm sure the web site in question has been blacklisted by all the major DNSBL lists by now.

One can only hope!

Re:

[noc007]

The MX records for democrats.org point to 208.69.4.29, 208.69.4.30, and 208.69.4.31 and the MX records for dnc.org point to 72.35.23.4 and 216.129.90.46. As of this posting, Spamhaus doesn't have those blacklisted.

Re:

[Bourdain]

it is in major DNSBL (i.e. to test that, my fastmail.fm account blocked it and yahoo, of course, let it straight on through)

Empathy for Dolts

[Web Goddess]

I must "out" myself as being another clueless web designer who left exactly this vulnerability in my own "email page to a friend" link, as recently as April 2009. Doh!

See, creative people have no "barrier to entry" and as long as I can write simple perl scripts, I can run them in my CGI bin. Not everyone is a gifted web designer, many of us have had no formal education in programming or security, and of course we are all struggling against spammers with a financial interest in locating exploits.

I feel emp

Geniuses...

[Anonymous Coward]

These are the same geniuses who want to be able to take down the internet when problems arise. They can't even manage themselves but want to control everything else. Go figure...

Re:

[Keen Anthony]

You realize that democrat.org isn't a government organization, right? You realize that it's jump point to the DNC, which is a political party, and not a government organization, right? And you realize that the very people who would take control of the internet away from private networks would not be representatives of a political party, but the military, right? Even for a troll, you're stupid.

Ok Slashdot, here is your chance to fight spam

[fooslacker]

Someone write an email that sends out the "new democratic party platform". Feel free to copy it from the Republicans site. Then send it to all the known big donors. I figure 10,000 emails and five minutes later and this hole will be closed. Politicians (of all persuasions) only respond to two things and reason is not one of them. Votes and money. Threaten those and they'll be all over this. =)

It's not a hole

[andy1307]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

Re:

[La Gris]

More like: "It's Not A Bug - It's A Feature."

By the way, It does not even wait between retries and it may as well fail completely in the void after the second one.

Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mailservices.democrats.org[208.69.4.29]
Aug 30 16:30:14 ns1 postfix/smtpd[3774]: connect from mail-fallback.democrats.org[208.69.4.31]

Re:

[Culture20]

It's not a hole..It works exactly like it was designed to work..making it easier for people to spread their word.

The new Democratic platform: Deposed Nigerian monarch money and bigger penises for everyone!
I may vote next election.

No need to worry -- they can't deliver mail either

[originalhack]

Amazing layers of stupidity....

Not only will they accept and deliver arbitrary messages, if their first attempt to deliver fails, they switch to a "backup" server and try again immediately and then forget the whole thing. Clearly never heard of greylisting.

Change we can believe in

[jimmy_dean]

This is definitely change we can all believe in. :p

A rookie mistake

[coryking]

Who here can honestly say the first couple email forms they created *did not* get shut down by spammers? The first I created looked almost like the one linked in this article--no security checks, no throttling and the ability to completely alter the message and subject.

The the second one I created let you add extra headers in the mail message--course part of that was thanks to the shitty, insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

No sir, we've all done this. Every developer who ever created something that let the public generate email has created a gateway for spammers at least once.

My hunch is an intern did this :-)

Re:

[Stan Vassilev]

[...] insecure mail api provided by PHP. Their API is more than happy to let you add linefeeds in the "From" or "To" parameters and thus let you add extra headers (say BCC). The reason it was my fault was for using PHP in the first place!

There is no "From" parameter. It's called additional_headers which, yes, lets you include one or more raw headers, separated by newlines. There are plenty of higher-level API-s for PHP, but you chose to pass headers to the the raw API without validating. Have you heard this one: "a poor craftsman blames his tools"?

Re:

[coryking]

That is why it is called a rookie mistake. And yes, I'll blame PHP. It is a beginner language and should encourage people to do the right thing. Instead, it makes it hard to create a non-exploitable mail form and trivial to make one that is wide open.

a poor craftsman blames his tools

A skilled craftsman knows what constitutes a good tool is and why it might be important. A skilled craftsman also knows when something *is* the fault of the tool. A novice doesn't know a good tool from a bad tool. PHP is a

Re:

[fractalus]

PHP being dangerous for novices doesn't make it a poor tool, it makes it a poor tool for novices. C is a useful tool too, and in many cases can be the best tool for the job, but in the hands of a novice it can be dangerous.

The problem isn't PHP specifically (because just about any web-oriented programming language can have similar problems) it's that there are lots of people interested in making dynamic web sites who don't understand the risks. Building and deploying dynamic web sites means subjecting them

Re:A rookie mistake

[coryking]

Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing

Sure, in make-believe land this will happen. But here in reality, there are tons of rookie coders writing crap, insecure web programs. Given this will *never* be stopped, the *least* PHP might do is make it feel natural to do the right thing.

For example, if you search "PHP send mail", one of first hits you get [about.com] has example code that *will* be exploited by spammers. The fact that the *core default way to send mail* does not have a parameter for "From:" has resulted in thousands of websites getting reamed by spammers. Everbody wants to customize the "From:" in an email based on user input! No novice will know how to properly construct a "From: $username" to pass into the additional_headers! They'll gloss over the warning in the link I gave--why? Like most people they will assume the warning only applies to people doing advanced tricks with email like attachments; all they are doing is something "simple" like customizing the From: line! Hell, that is how I got burned. I assumed since I was doing something simple, PHP would do the right thing for me. I was wrong. Live and learn!

The easy to exploit mail function isn't what is happening in the article. That "exploit" isn't even really an exploit but it is what I originally called it--a rookie mistake. That kind of thing can be done in any language and you'd be lying to say your first email form didn't have the exact same problem!

The root of what you are saying

[jDeepbeep]

So.... do you feel it is the responsibility of a programming language to protect you from your own blunders?

Re:

[uninformedLuddite]

Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people.

You've been spoofing statcounter again haven't you?

Re:

[sg_oneill]

Speak for yourself. It was always obvious to me these stupid forms where far too dangerous to allow, and that was back in the mid 90s when we where first fucking around with CGI mail.

Don't assume other people share in your historical naivete.

Fix the Problem

[davidshewitt]

The democrats.org technical support website doesn't have a captcha either. Maybe /.ing them with requests to fix this lack of security will raise their awareness. This sort of thing is unacceptable and needs to be fixed.

Their support website is: http://www.democrats.org/page/s/techproblems [democrats.org]

They have a captcha now

[Mr. Roadkill]

Mind you, it's being used by 419ers... they don't honestly believe that they'll keep 419ers out with a captcha, do they? These are the same people who'll cheerfully sit there sending mail out through hotmail accounts, so a captcha's not going to keep them out.

Oh

[BCW2]

I thought it was just standard propaganda from them.

Silly me.

How can you tell?

[Punk CPA]

Nearly everything coming out of Washington looks like a 419 scam anyway.

Have the ISP pull hte plug if they don't fix it...

[gabebear]

It appears their mail server is run by XO Communication [xo.com]

http://www.democrats.org/page/s/techproblems [democrats.org]
http://www.xo.com/forms/Campaign/Care/ContactCustomerCare/ContactCustomerCare.aspx [xo.com]

Oh the irony

[PHAEDRU5]

John McCain never left his email server open for this sort of exploit!

Re:

[Anonymous Coward]

John McCain never left his email server open for this sort of exploit!

That's because carrier pigeons fight back.

spam

[hesaigo999ca]

spam,spam,spam,spam,spam,spam,spam,spam.....incredible spam, lalala la la la la lalalala....incredible spam...
(monty python short) gotta love spam...!

As of This Morning It Appears To Be Fixed

[noc007]

I've checked the offending page http://www.democrats.org/page/invite [democrats.org] and they have added a CAPTCHA. Hopefully this fixes the issue.

Next time, strive for +5 funny

[davidwr]

If you'd posted a genuine 419 mail, particularly one re-written to spoof the Democratic Party, it would be marked +5 funny not -1 troll.

Re:

[yesteraeon]

Mod this down. 0 isn't low enough.

Re:

[Anonymous Coward]

Maybe you see these problems on the democratic domain, because the conservatives in this country are still trying to figure out what the internet is.

http://www.huffingtonpost.com/2008/06/11/mccain-admits-he-doesnt-k_n_106478.html [huffingtonpost.com]

http://www.youtube.com/watch?v=f99PcP0aFNE [youtube.com]