Forged FBI spam and Formmail Exploits

[ code ]

Back in November, Spamhaus reported on how somebody managed to send a bunch of forged email through real FBI email servers. Brian Krebs broke down how it happened: The email registration process involves sending out a one-time use token sent by the web server in question, but the subject line and body content could be set in the HTML form, meaning anybody with even the tiniest bit of webform and HTML knowledge could edit things up to send emails wherever they want, saying whatever they want.

This is where that occasional gap in the institutional knowledge of spam and abuse on the internet really hurts. For those of you old enough to remember, this is the exact same problem we all dealt with about a hundred years ago (i.e. back in the mid 1990s), thanks to the script found on a website called Matt's Script Archive. Matt's still a great guy -- his scripts got a bunch of us started in web application programming, myself included -- but oh, how insecure some of those early scripts were, and Formmail in particular. It basically had this exact problem. You could pass, as a variable in the HTML, where the email was going, and what content should be in the email message. Meaning any spammer could use it to bounce messages through your Formmail-running webserver, and the spam would come from your webserver's IP address, allowing the spammer to find new ways to spam people, even if their own mail server got blocked.

So, it's not really great to hear that in 2021, somebody managed to exploit something using a method that people figured out was bad news somewhere around twenty-five years ago. But such is life.

Post a Comment