09.14.05

Mail Form Injection Attacks

Posted in General at 3 pm

To: Our Clients
Re: Recent Mail Form Abuse

We are approaching this abuse from a multi-step process. As you might imagine, this bot has has been hitting web-2-mail forms all over the web. We’re dealing with this through a set of solutions for your forms as well as for other forms that we have created for clients going back over many years.

1) Our first step was to eliminate the ultimate goal of the ‘bot, which was to send a customized message to a hijacked AOL account. Our estimation of the purpose of this bot is to find web-2-mail forms that can be used to reflect spam to other victims. The initial e-mails that we are seeing coming through the forms are probes being used to test for the vulnerabilities. The first steps we took eliminated the option of sending these mails out to addresses that we did not designated in the form itself.

By plugging this hole, the form will no longer be a viable reflector for spammers. This should take the form off of the testing list at some point in the future. These first steps were critical to making the form less attractive to spammers in the first place.

However this step, as you’ve seen did not keep the probes themselves from being passed on to ‘approved’ mail addresses.

2) Our second step was to detect the probes in a very specific manner and to cull them out from the legitimate messages that are coming through the forms. We want to be *very* careful here in order to remove *only* the mails that are illegitimate probes/reflection spams. We identified a number of potential ‘fingerprints’ that could be used and decided upon one that should only be used by nefarious ‘bots, and not by actual customers.

While we have this in place, the messages that trigger the detector will be re-routed to us for analysis. If we happen to find a legitimate mail caught with this fingerprint, we will forward it back to you and adjust the detector as appropriate.

09.10.05

Catching up with August 2005

Posted in Apple, Career, General, Life, Media, Tech, Transport, Web at 9 am

For the first post of September, we’ll be covering August and the last few weeks with QuickNotes™…

1) I’ve got a new laptop: 15″ PowerBook. Woo Hoo! It’s teh hot! Seriously, switching from the plastic-cased iBook to the aluminium wraped 15″ PB has given me a new appreciation for thermodynamics. (But still the PB is FAST! So much faster than the iBook.)

2) Tiger is okay, but little to write home about. The UI inconsistencies in OS X from the system and iApps perspective is becoming more obvious. But I could be just railing against the fact that part of iChat crashes on a regular basis, just after I switched back to using it instead of Adium because iChat can now do multiple accounts including Jabber accounts.

3) General instability is the call of the day. Some things are craping out way too easily. I’m letting Steve use my iBook while he’s out in Astoria for school, and I’ll be putting Panther on it.

4) Went and saw part of the Woodburn NEDRA electric drag races. Took some video and put together some movies for John Wwayland over at plasmaboy racing.

5) The new iTunes interface is an unecessary change unless it’s carried out to the rest of the iApps. The name for it seems to be “Polished Metal” as opposed to the older (and reviled) “Brushed Metal”. The iPod Nano looks cool but it took me days to find out it was solid-state flash and not hard drive-based. The ROKR iPhone is for SUKRs. Totally crippled and nothing new hardware-wise. Apple can’t build the whole widget, so the widget is a total compromise.

6) Our living rooom television died. Would like to replace it with a flat LCD, but they’re still more money than I want to invest in Home Entertainment. If anyone’s got a recommendation for a $200 to $300 television with *LOTS* of input and output jacks, let me know.

7) I’ve got a freelance project launching in the next could of days. I’ll point to it once it’s got a bit of burn-in time.
8) I’ve been seeing a new testing probe-bot that’s crawling around Contact forms. It’s already hit LazerQuick where we’ve patched it and just last nite it hit my feedback form on OrderSomewhereChaos. Nasty little bugger made me dive back into Perl code that I’ve not touched in 6 or 7 years. The mail is being sent to the (probably compromised) AOL account of “jrubin3456@aol.com”. They’re looking to find tons of spamming reflectors. I’m sure they’ll find *LOTS* of them.

9) Amy and I are off to see the final regular-season game for the Timbers! Mighty Mighty Timbers!