25 December 2003
It's Christmas! A nice relaxing day. All my co-workers are with their families, so I have the office all to myself. Should be able to get some good solid programming done. But first, a quick email check.
Receiving message 1 of 42840...
After muttering something unbecoming of a British citizen, I terminate our mail server and start sifting through the overflowing logs. Sure enough, we've got a spammer on the loose. He's found a way to hijack a web-email gateway and is in the process of carpet-bombing AOL addresses with ads for Adobe Illustrator.
The spammer's loophole was simple, but one we hadn't seen before. He'd replaced the hidden subject field with a multi-line field containing additional To: and CC: headers, followed by a 100KB email. I'd gone to great lengths to make our To: and CC: headers configurable yet secure, but he simply side-stepped all that and created his own.
There's also no way to identify the spammer, since his web connections arrived from hundreds of IP addresses all over the world. He must be controlling a network of zombies, infected by a virus or worm. When I secured our gateway, one zombie connected, failed to send, and none of the other zombies ever reconnected. He certainly keeps his minions on a tight leash.
Recently I began to wonder if I was getting a bit too paranoid about server security. It is always a balancing act between making life easier for customers vs making life difficult for attackers. Today's episode helps put that in perspective.
Update: This has become a huge exploit. We are now getting probed several times every day. Naturally we are totally immune, but I can only imagine what it's like out there for those who haven't protected themselves. It's just a matter of time before they find you...