[Mimedefang] OT: Email web form exploits

John Nemeth jnemeth at victoria.tc.ca
Wed Sep 7 03:19:39 EDT 2005 

On Jan 27,  1:21am, John wrote:
} At 11:23 PM 9/5/2005, you wrote:
} >On Jan 26,  5:16pm, John wrote:
} >}
} >} I am a System Administrator in Billings, MT.  I am having the same issue,
} >} however I do not feel this is to be taken lightly.  Mine started with IP's
} >} in Egypt & Iran.  I have attempted to contact the FBI & Dept. of Homeland
} >} Security.  Also have alerted AOL's Fraud Dept. as that's where the test
} >} emails were sent originally while testing.
} >}
} >} I attempted Federal contact Saturday when I realized what was
} >} transpiring.  Unfortunately, they are an 8-5 system unless someone's life
} >} is at stake.
} >
} >      Contacted them for what purpose?  To tell them that you're a lousy
} >programmer?  Or perhaps to tell them that you stick random unverified
} >code on your system (i.e. you're a lousy sysadmin)?
} 
} We also, are an ISP.  We, as a company, do not control content.  We should, 
} I agree, but company policy says "Not"...

     I can understand that as an ISP that you don't control the
contents of the websites that you host.  However can you not disable
insecure CGI scripts or at least tell the owner to do something about
them?  If not, then there is a serious problem with your policies.

} >} This has been a continuous, saturated attack, not at all like a simple
} >} spammer or script kiddy.  Think about what would happen if a subversive
} >} group like, and including, Bin Laden's boys found open mail forms that
} >} could be used to send coded messages in plain text with impunity and being
} >} relatively anonymous.
} >
} >      The people running insecure web sites should be nailed.
} 
} I agree 100%.  However, in the real world, when you have hundreds of sites 
} and may be 75-80 developers, that's what happens.

     It certainly does and when it does you deal with it.

} >   There is
} >a ton of information out there on how to write secure forms!  This is
} >not a new attack.
} 
} Not like this one has been.

     From the way you describe it there is nothing new here.  Go google
"formmail.cgi".

} >   This is old stuff.
} >
} >} I want some answers from the Feds on this issue and I can assure you I will
} >} be on the phone at 8:00 in the morning...
} >
} >      If I was the Feds I would simply tell you to go away and secure
} >your system.  And, if you are working for an organisation where your
} >systems must be secure by law, I would sic the appropriate agency on
} >you.
} 
} And, you already sound like a government worker.  Totally bad attitude.  I 
} expect to speak to someone like you today.  I am sure I will find a way 
} around the front guard, then maybe not.  There are plenty of folks like you 
} in the government.

     No, I do not work for the government nor have I ever worked for
the government.  But, I do live in the real world and have real world
knowledge.  I won't claim to be a security expert but I have studied it
and know the basics.  Also, I won't let my ego deceive me into
beleiving that I have discovered something new when in fact it is
common place and really simple.

}-- End of excerpt from John

More information about the MIMEDefang mailing list