Apology to my Spam Victims


The first part of the problem involves some poorly written code. My web site has a comment form that has been a recurring annoyance. The form is nearly a decade old, created as part of my very first web site. The backend processor accepts the form and sends it to me via email. A few years back I did a quick conversion from shell code to perl, as part of the migration to a new server. Otherwise it's mostly sat quietly in the corner, like an unwanted stepchild.

There is a known exploit for a web form mailing script called cgiemail. Over the past week, spammers have been very active using this to generate spam through vulnerable web servers. Turns out the exploit works not only on cgiemail, but also on many poorly written form processors. Like mine.

The second part of the problem is that I had advance warning and failed to act. Last Thursday, I saw some strange emails coming from my web server. I traced them to that form, but couldn't figure out exactly what was causing them. Since there were only a few of these messages and they contained innocuous gibberish, I soon lost interest and turned my attention to other matters.

That was a very big mistake. Those messages were just initial probes, part of the spammer's search for vulnerable systems to attack. They should have been a warning sign that trouble was on the horizon.

Noontime Friday, I received a panicked call from my partner saying our server was getting slammed. "Thousands of weird entries in our maillog," he said. When I saw what was happening I panicked too. Our server was generating thousands of emails, directing a spam flood at AOL users. I hit the big red button, metaphorically speaking. I shut down all mail processing and began shoveling out the crap.

So, I apologize to AOL and everybody who may have received this spam. This incident has provided me with a refresher lesson on secure programming and diligent system administration.