Fighting the Good Fight Against Spammers
The holiday season is crazy enough for ordinary citizens going about their daily routine, shopping, fighting traffic, long lines, time deadlines. Then there's the threat of credit card and identity theft. If that's not enough, we workers in the IT world have to deal with the maleficent opportunists that seem to come out of the woodwork to ply their warez, spam, and botnets at this time of year.
Over at Altamente, I've been battling spammers and hackers constantly since the day after Thanksgiving. Why Thanksgiving, do you ask? I'm so glad you asked. It's simple. In the US, from Thanksgiving to the last shopping day before Christmas, consumers will account for roughly 17% of all retails sales.
Spammers and hackers want their cut.
Whether it be phishing, hacking, or spamming, they have been a constant pain in the neck.
Imagine my surprise this morning when I noticed the email was slow. I peeled back the carpet to find a hoard of roaches swarming about.
Tons of messages were in the outgoing queue from an anonymous user, spam messages sent by my server to unwilling recipients. I was shocked and disgusted. How could this have happened? I took a deep breath, decided not to panic and calmly looked through the logs and web traffic. I already suspected a rogue web script on some virtual host somewhere. Let's have a look at which client has gotten a bump in server traffic recently.
And there is was, a script being used by one of Altamente's clients, wp-email.php.
Now, in all fairness to the author, he has since applied a bit of paint
to his "Email Article" plugin for WordPress in the form of a Captcha. In my case, however, I overlooked the patch and the result: spammers had been injecting an automated attack against the script to deliver their payload as if it was a normal email.
Solved! But I'm still annoyed. Remember people, any php or web script that allows a user to send email needs to be thoroughly checked against such variable over-writing. All input strings must be parsed and checked. Put up email forms at your own peril.
Or at least watch them carefully during the Holidays.