Close
dadaIMC Discussion List
Re: [IMC-Tech] Dadaimc sites being exploited, lack of captcha-style verification
Hi Ben,
To answer the question of where this sort of exploitation has been
observed in the wild, yes, the dada site at stlimc.org can get on the
order of ~100 bounce messages daily from apache for what appear to be
user registrations for randomly generated email addresses (both user and
domain name). The number of these submissions makes clear they are
generated by bots, although I don't wish to turn on IP tracking (yet) to
determine whether these bot attacks come from a single source.
When the domain name in these submitted email adresses is bogus, then
this only results in wasted net/CPU/DNS/disk/database bandwidth of the
server hosting dada, although even this could easily be used to swamp
the host server, since it bypasses dada's caching function.
When the domain is NOT bogus, then this can also swamp mail servers
receiving such bogus registration notifications. When you consider
further that this exploit exists on every dada site out there (100s?),
you see how this could easily become a vector for a distributed DoS
attack on a specific mail server.
I'll postulate that this sort of bot attack (whether for DoS against the
site hosting data or against some 3rd-party victim mailserver) is *very
easy* to do, it does not have to be specifically tailored for the dada
codebase, and it evidently is being done now. You only need to script
the following:
1. start at dada's base URL (e.g. stlimc.org/
2. visit every page linked within 2 levels of the base URL until you
find an HTML form with an email field, a textarea tag, and something
resembling a submit button (which can be done readily with clever regex
coding)
3. insert target email address into appropriate field, and arbitrary
content (i.e. spam) into the textarea
4. click submit
5. repeat, ad infinitum
Indeed, step #2 only needs to be performed once for each dada site,
since the script could generate a list of URLs for that site where the
exploitable HTML forms can be found, and then reuse the list on each
subsequent iteration. Step #3 could also be streamlined by caching the
HTML form data, and then repeatedly submitting with different email
addresses. (Yes, I'm reluctant to post these details, but the fact that
I've observed apparent bot attacks that exploit dada means these details
are already known.)
The "emailto" function was particularly vulnerable to this sort of bot
attack, since it provided a way to send arbitrary content to arbitrary
email addresses. The new user registration function is still vulnerable
to sending traffic to arbitrary emails. I.e. both can be exploited to
generate bogus email traffic.
A captcha field on the emailto form or the new user registration form
would presumably slow down the bot attack, since it would require the
server hosting the bot to process captcha images on (ideally) each
iteration, although I am aware this limits the accessibility of dada for
visually impaired users.
Ben Dean-Kawamura wrote:
> My understanding is the reason that emailto.php was problematic was
> that people could use it to send arbitrary message bodies. If the
> text of the message is just a generic signup message, I don't see what
> benefit could spammers get from exploiting it.
>
> Have you seen this being exploited in the wild?
>
> Ben
>
> On 11/26/06, Ben <westbywest-AT-riseup.net> wrote:
>> Hi,
>>
>> I noticed this problem on the dadaimc at stlimc.org and have similarly
>> disabled the emailto.php file.
>>
>> Likewise, I've discovered another avenue for spam via the "accounts"
>> module in dada, which is responsible for tracking user logins and
>> registration. In particular, the page where visitors sign up for new
>> accounts, i.e. .../mod/accounts/index.php?function=new has no captcha
>> field, allowing bots to enter arbitrary email address then have the
>> webserver send registration confirmation messages to that address.
>>
>> I find this latter exploit more problematic than the emailto feature,
>> since every dadaimc site out there can likely be exploited as such, and
>> the only way to prevent it so far is to disable new user registration.
>>
>> Indeed, I wonder if these spam exploits in dada are a contributing
>> factor for riseup.net (which hosts several dada imcs) routinely finding
>> itself on email blacklists.
>>
>> Since dadaimc development appears to be on hold in lieu of ongoing
>> discussion among imc-tech community about migrating to a new CMS, could
>> anyone recommend a workaround to this problem?
>>
>> John Milton wrote:
>>> Hi folks:
>>>
>>> This may be a well understood issue here, but just in case it's not...
>>>
>>> The Indy CMS "DadaIMC" has a feature which allows users to email copies
>>> of stories to other readers.
>>>
>>> Spammers have produced a "bot" which exploits this feature to use the
>>> site as a spam distribution service by adding spam content to the text
>>> block of the email that is sent.
>>>
>>> If I had not installed countermeasures the server I run, Illich, which
>>> hosts 7 Dada sites would have been responsible for the distribution of
>>> over 100,000 spam emails during the last 36 hours.
>>>
>>> I can't find a switch in the user interface to switch this feature off,
>>> nor am I aware of a patch to insure that the email to be sent is not
>>> spam, so the only thing I was able to come up with was to disable the
>>> code as follows:
>>>
>>> In the current version of Dada, 99.3X, the email function is done by a
>>> file called "emailto.php" which will be found in the document root
>>> directory of the site. Replacing that file with something like this
>>> (with same name and permissions) will disable the feature without
>>> breaking the software or flooding the error log file:
>>>
>>> ----------File follows-----------
>>> <html>
>>> <head>
>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>> </head>
>>> <body>
>>> Due to abuse by spammers this feature is not available at this time.
>>> </body>
>>> </html>
>>> -----------------------------------
>>>
>>> I'd really be interested in any better solution to this issue...
>>>
>>
>> --
--
Ben West
westbywest-AT-riseup.net
savetheinternet.org
-------------
To unsubscribe, send blank email
to dadaIMC-off-AT-lists.dadaimc.org
To answer the question of where this sort of exploitation has been
observed in the wild, yes, the dada site at stlimc.org can get on the
order of ~100 bounce messages daily from apache for what appear to be
user registrations for randomly generated email addresses (both user and
domain name). The number of these submissions makes clear they are
generated by bots, although I don't wish to turn on IP tracking (yet) to
determine whether these bot attacks come from a single source.
When the domain name in these submitted email adresses is bogus, then
this only results in wasted net/CPU/DNS/disk/database bandwidth of the
server hosting dada, although even this could easily be used to swamp
the host server, since it bypasses dada's caching function.
When the domain is NOT bogus, then this can also swamp mail servers
receiving such bogus registration notifications. When you consider
further that this exploit exists on every dada site out there (100s?),
you see how this could easily become a vector for a distributed DoS
attack on a specific mail server.
I'll postulate that this sort of bot attack (whether for DoS against the
site hosting data or against some 3rd-party victim mailserver) is *very
easy* to do, it does not have to be specifically tailored for the dada
codebase, and it evidently is being done now. You only need to script
the following:
1. start at dada's base URL (e.g. stlimc.org/
2. visit every page linked within 2 levels of the base URL until you
find an HTML form with an email field, a textarea tag, and something
resembling a submit button (which can be done readily with clever regex
coding)
3. insert target email address into appropriate field, and arbitrary
content (i.e. spam) into the textarea
4. click submit
5. repeat, ad infinitum
Indeed, step #2 only needs to be performed once for each dada site,
since the script could generate a list of URLs for that site where the
exploitable HTML forms can be found, and then reuse the list on each
subsequent iteration. Step #3 could also be streamlined by caching the
HTML form data, and then repeatedly submitting with different email
addresses. (Yes, I'm reluctant to post these details, but the fact that
I've observed apparent bot attacks that exploit dada means these details
are already known.)
The "emailto" function was particularly vulnerable to this sort of bot
attack, since it provided a way to send arbitrary content to arbitrary
email addresses. The new user registration function is still vulnerable
to sending traffic to arbitrary emails. I.e. both can be exploited to
generate bogus email traffic.
A captcha field on the emailto form or the new user registration form
would presumably slow down the bot attack, since it would require the
server hosting the bot to process captcha images on (ideally) each
iteration, although I am aware this limits the accessibility of dada for
visually impaired users.
Ben Dean-Kawamura wrote:
> My understanding is the reason that emailto.php was problematic was
> that people could use it to send arbitrary message bodies. If the
> text of the message is just a generic signup message, I don't see what
> benefit could spammers get from exploiting it.
>
> Have you seen this being exploited in the wild?
>
> Ben
>
> On 11/26/06, Ben <westbywest-AT-riseup.net> wrote:
>> Hi,
>>
>> I noticed this problem on the dadaimc at stlimc.org and have similarly
>> disabled the emailto.php file.
>>
>> Likewise, I've discovered another avenue for spam via the "accounts"
>> module in dada, which is responsible for tracking user logins and
>> registration. In particular, the page where visitors sign up for new
>> accounts, i.e. .../mod/accounts/index.php?function=new has no captcha
>> field, allowing bots to enter arbitrary email address then have the
>> webserver send registration confirmation messages to that address.
>>
>> I find this latter exploit more problematic than the emailto feature,
>> since every dadaimc site out there can likely be exploited as such, and
>> the only way to prevent it so far is to disable new user registration.
>>
>> Indeed, I wonder if these spam exploits in dada are a contributing
>> factor for riseup.net (which hosts several dada imcs) routinely finding
>> itself on email blacklists.
>>
>> Since dadaimc development appears to be on hold in lieu of ongoing
>> discussion among imc-tech community about migrating to a new CMS, could
>> anyone recommend a workaround to this problem?
>>
>> John Milton wrote:
>>> Hi folks:
>>>
>>> This may be a well understood issue here, but just in case it's not...
>>>
>>> The Indy CMS "DadaIMC" has a feature which allows users to email copies
>>> of stories to other readers.
>>>
>>> Spammers have produced a "bot" which exploits this feature to use the
>>> site as a spam distribution service by adding spam content to the text
>>> block of the email that is sent.
>>>
>>> If I had not installed countermeasures the server I run, Illich, which
>>> hosts 7 Dada sites would have been responsible for the distribution of
>>> over 100,000 spam emails during the last 36 hours.
>>>
>>> I can't find a switch in the user interface to switch this feature off,
>>> nor am I aware of a patch to insure that the email to be sent is not
>>> spam, so the only thing I was able to come up with was to disable the
>>> code as follows:
>>>
>>> In the current version of Dada, 99.3X, the email function is done by a
>>> file called "emailto.php" which will be found in the document root
>>> directory of the site. Replacing that file with something like this
>>> (with same name and permissions) will disable the feature without
>>> breaking the software or flooding the error log file:
>>>
>>> ----------File follows-----------
>>> <html>
>>> <head>
>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>> </head>
>>> <body>
>>> Due to abuse by spammers this feature is not available at this time.
>>> </body>
>>> </html>
>>> -----------------------------------
>>>
>>> I'd really be interested in any better solution to this issue...
>>>
>>
>> --
--
Ben West
westbywest-AT-riseup.net
savetheinternet.org
-------------
To unsubscribe, send blank email
to dadaIMC-off-AT-lists.dadaimc.org
Report Bugs
dadaIMC uses the Mantis bug-tracking system for bug reporting. Please use it! And check for existing reports of your bug before submitting a new one.
CVS
The current CVS version of dadaIMC is now browseable online. Be forewarned, though, that it is not always in a useable state as-is!
Donations
Support development!