Full Disclosure mailing list archives
Re: Automated mass abuse of form mailers
From: n3td3v <xploitable () gmail com>
Date: Mon, 12 Sep 2005 15:21:39 +0100
A worm/virus code is in the underground, where the malicious code searches for: http://groups.google.com/group/n3td3v/browse_thread/thread/74395c44ef94c107/729603543ed1379e?q=vxer+vectors&rnum=1#729603543ed1379e And then sends whatever the service is invite/article or web link, depending on what the form's function is, this will bring carriers to a crawl, as the mass amount of mail being sent. This is nothing new, and the most high profile offender was Yahoo Inc, as reported by me on F-D a while back. Yahoo now have (unconfirmed) patched their mailers and forms for invites to Yahoo services. I have been researching the potential of VXers using the mass amount of vulnerable webforms on the web for a long time. The most common offender are online media news outlets, offering you to send an article link to a friend. The VXer wouldn't worry what the content of the mail being sent is, weather it be a random invite to a service or a link/ news story, to the VXer, all he cares about is the data being sent, to slow down networks/ internet. Funnily tho, many web forms for invites and news stories, allow the user to add their own message, so this can be filled with garbage data, or include executable exploit code, for a particular software flaw. Regradless of this, its the fact that these web forms are accessable, with no word verification, to stop bots/zombies/worm/virii code from exploiting these mailers. CNET News is the _only_ media outlet or site generally that has bothered to protect its send this article web form and functionality. The rest from my observations are wide open, millions of them across the web. Thats alot of data, that could be sent across web. To me its a ticking time bomb. The Yahoo thingy I just mentioned had an added twist that the invites sent, by-passed Yahoo Mail's spam technology, sending all mail straight to the inbox of the user, instead of the bulk folder. This was because the mailers were trusted by Yahoo's anti-spam, thinking the invites were coming from a trusted corporate source, but they weren't. http://seclists.org/lists/fulldisclosure/2004/Oct/0151.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032128.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026967.html http://readlist.com/lists/lists.netsys.com/full-disclosure/1/8435.html And so on. Way back in 2004 was when I realised the threat to the wider web and not just Yahoo's network. You're talking about spammers using mailers to advertise a product, their connected with, however the threat of infected computers sending wanted invites, web links, news articles from websites to consumer and corporate networks, is just as great, if not greater. Thats all for now. Thanks... On 9/12/05, Michael Holzt <kju-fd () fqdn org> wrote:
Automated mass abuse of form mailers
-- http://www.geocities.com/n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Automated mass abuse of form mailers Michael Holzt (Sep 12)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Dave Korn (Sep 12)
- Re: Re: Automated mass abuse of form mailers Bipin Gautam (Sep 12)
- Re: Re: Automated mass abuse of form mailers Valdis . Kletnieks (Sep 12)
- RE: Re: Automated mass abuse of form mailers Aditya Deshmukh (Sep 12)
- Re: Re: Automated mass abuse of form mailers Dave Korn (Sep 13)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Ron DuFresne (Sep 12)
- <Possible follow-ups>
- Re:Automated mass abuse of form mailers sk (Sep 12)