[Mimedefang] OT: Email web form exploits

John john at jjgb.com
Tue Sep 6 08:45:20 EDT 2005 

At 11:23 PM 9/5/2005, you wrote:
>On Jan 26,  5:16pm, John wrote:
>}
>} I am a System Administrator in Billings, MT.  I am having the same issue,
>} however I do not feel this is to be taken lightly.  Mine started with IP's
>} in Egypt & Iran.  I have attempted to contact the FBI & Dept. of Homeland
>} Security.  Also have alerted AOL's Fraud Dept. as that's where the test
>} emails were sent originally while testing.
>}
>} I attempted Federal contact Saturday when I realized what was
>} transpiring.  Unfortunately, they are an 8-5 system unless someone's life
>} is at stake.
>
>      Contacted them for what purpose?  To tell them that you're a lousy
>programmer?  Or perhaps to tell them that you stick random unverified
>code on your system (i.e. you're a lousy sysadmin)?

We also, are an ISP.  We, as a company, do not control content.  We should, 
I agree, but company policy says "Not"...


>} This has been a continuous, saturated attack, not at all like a simple
>} spammer or script kiddy.  Think about what would happen if a subversive
>} group like, and including, Bin Laden's boys found open mail forms that
>} could be used to send coded messages in plain text with impunity and being
>} relatively anonymous.
>
>      The people running insecure web sites should be nailed.

I agree 100%.  However, in the real world, when you have hundreds of sites 
and may be 75-80 developers, that's what happens.

>   There is
>a ton of information out there on how to write secure forms!  This is
>not a new attack.

Not like this one has been.

>   This is old stuff.
>
>} I want some answers from the Feds on this issue and I can assure you I will
>} be on the phone at 8:00 in the morning...
>
>      If I was the Feds I would simply tell you to go away and secure
>your system.  And, if you are working for an organisation where your
>systems must be secure by law, I would sic the appropriate agency on
>you.

And, you already sound like a government worker.  Totally bad attitude.  I 
expect to speak to someone like you today.  I am sure I will find a way 
around the front guard, then maybe not.  There are plenty of folks like you 
in the government.


John Jaeger - Billings, Montana

EMail To	: <mailto:john at jjgb.com>
Home Page	: <http://www.jjgb.com>

PGP:
RSA Key ID: 0xAAEC7751  <http://www.jjgb.com/public_files/RSA_Key.zip>

"Our liberty is protected by four boxes...
     The ballot box, the jury box, the soap box, and the cartridge box."
                                    - Anonymous

More information about the MIMEDefang mailing list