Request for technical assistance

I suspect that the comments portion of this weblog may have been used to send spam, and I need to find out if this was what happened, and if it was, what I have to do to prevent it from happening again.

… Details including problem headers

I could use the professional opinion of folks who have sendmail expertise. Greymatter (the blogging software I use) sends me copies of each comment posted in this weblog. These always arrive with the same [Greymatter] Notice: Comment Posted header, and most of the time I just dump them because I read the the comments on the site. They serve more to let me know I have comments I need to check out than anything. Not sure why I read the first of the two problem ones this morning, but I did, and now I’m worried.

Though both problem e-mails this morning had the same outside header, and had been sent to me by the Greymatter program, neither was anything that had been posted in response to an entry. Usual Greymatter mail tells me which post (title and number) received the comment, and these didn’t have that. One was, instead, a couple of articles on gay rights protesters at Harvard, and it looks like it might have been spammed either to me through the program, or worse, sent using some flaw in the program to a lot of other people. The other one was a blank message Can one of you folks take a look at the headers included in the extended entry and tell me whether this is something that would require me shutting down comments, or turning of all HTML in comments (I’ve already dropped it from ‘pretty much anything goes’ to ‘bold, underline, link only’ this morning), or whether this looks like it was something that was incoming and only affected me?

I don’t want to have to shut down comments, the most likely exploitable part of the program, but a part of this weblog that I value. So I would be grateful for any help figuring out what this was and how to prevent it from happening again.

Thanks in advance.

From: Greymatter
Date: Fri Jun 27, 2003 6:14:12 PM US/Eastern
To: my email address
Subject: [Greymatter] Notice: Comment Posted

Received: from smtp.sff.net (smtp.sff.net [127.0.0.1])
by smtp.sff.net (Greyware Mailman 1.1.b.20030625R)
via FILE ;
Fri, 27 Jun 2003 13:34:54 -0500
Received: from mail.webbox.com (mail.webbox.com [207.231.76.69])
by smtp.sff.net (Greyware Mailman 1.1.b.20030625R)
with ESMTP ID ;
Fri, 27 Jun 2003 13:34:47 -0500
Received: from mauve [207.231.76.117] by mail.webbox.com
(SMTPD32-6.00) id AE461F550078; Fri, 27 Jun 2003 11:34:46 -0700
To: “watchdog@militia-watchdog.org”
From: “Margaret Marten”
Subject: MA: Phelps Clan Protests At Harvard
Message-Id: <270603178.41687@webbox.com>
Mime-Version: 1.0
Content-Type: text/plain
content-length: 4180
Date: Fri, 27 Jun 2003 11:34:47 -0700
X-Exempt-Data: No
X-Exempt-IP: No
X-Envelope-From: mmarten@netwalk.com
Precedence: bulk
Mailing-List: watchdog@militia-watchdog.org; moderator mark.pitcavage@worldnet.att.net
Return-Path: watchdog@militia-watchdog.org
Reply-To: watchdog@militia-watchdog.org
List-Unsubscribe: watchdog-unsubscribe@militia-watchdog.org
Sender: “Margaret Marten”

Errors-To: watchdog-bounce@militia-watchdog.org
X-Renamed-Executables: No
X-Disabled-Scripts: No
X-List-Recipient: [removed]

http://www.thecrimson.com/article.aspx?ref=348472

Originally published on Friday, June 27, 2003 in the News section
of The Harvard Crimson.

Anti-Gay Rights Group Protests At Commencement
By J. HALE RUSSELL
Crimson Staff Writer

Graduates marching toward banner-filled Tercentenary Theatre
were faced with placards of another sort Commencement day, as

[snipped by me, then more headers]

Received: from smtp.sff.net (smtp.sff.net [127.0.0.1])
by smtp.sff.net (Greyware Mailman 1.1.b.20030625R)
via FILE ;
Fri, 27 Jun 2003 13:34:54 -0500
Received: from mail.webbox.com (mail.webbox.com [207.231.76.69])
by smtp.sff.net (Greyware Mailman 1.1.b.20030625R)
with ESMTP ID ;
Fri, 27 Jun 2003 13:34:47 -0500
Received: from mauve [207.231.76.117] by mail.webbox.com
(SMTPD32-6.00) id AE461F550078; Fri, 27 Jun 2003 11:34:46 -0700
To: “watchdog@militia-watchdog.org”
From: “Margaret Marten”
Subject: MA: Phelps Clan Protests At Harvard
Message-Id: <270603178.41687@webbox.com>
Mime-Version: 1.0
Content-Type: text/plain
content-length: 4180
Date: Fri, 27 Jun 2003 11:34:47 -0700
X-Exempt-Data: No
X-Exempt-IP: No
X-Envelope-From: mmarten@netwalk.com
Precedence: bulk
Mailing-List: watchdog@militia-watchdog.org; moderator mark.pitcavage@worldnet.att.net
Return-Path: watchdog@militia-watchdog.org
Reply-To: watchdog@militia-watchdog.org
List-Unsubscribe: watchdog-unsubscribe@militia-watchdog.org
Sender: “Margaret Marten”

Errors-To: watchdog-bounce@militia-watchdog.org
X-Renamed-Executables: No
X-Disabled-Scripts: No
X-List-Recipient: [removed]

http://www.thecrimson.com/article.aspx?ref=348472

Originally published on Friday, June 27, 2003 in the News section
of The Harvard Crimson.

Anti-Gay Rights Group Protests At Commencement
By J. HALE RUSSELL
Crimson Staff Writer

Graduates marching toward banner-filled Tercentenary Theatre

And a second e-mail, blank except for this.

From: Greymatter
Date: Fri Jun 27, 2003 11:17:23 PM US/Eastern
To: my email
Subject: [Greymatter] Notice: Comment Posted

Received: from smtp.sff.net (smtp.sff.net [127.0.0.1])

image_pdfDownload as PDFimage_printPrint Page

About the author: Novelist, writing teacher, on a mission to reprint my out-of-print books and self-publish my new ones.

3 comments… add one
  • Katherine Jun 28, 2003 @ 10:28

    The interesting thing is that the Harvard mail appears to be legitimate. That is, it appears to have come from a real organization with a real address, and real humans who would hopefully be appalled to find that they were associated with such sleazy tactics. Sending an explanation of the problem and a copy of the headers to abuse@militia-watchdog.org might have useful results.

  • Holly Jun 28, 2003 @ 9:34

    Thanks, Jim. For the time being, I’ve put us on a ‘Names Only’ basis.

    I apologize to everyone for removing reciprocal e-mail/homepage links, but until I clear this up, let’s keep you as far of the Spam Gods’ radar as we can.

  • Jim Jun 28, 2003 @ 9:05

    Holly,

    I’ve noted reference on other websites to harvesting programs which can pick up E-mail addresses in plain text (and I suspect that they read the text embedding @, not an HTML tag) from web sites such as blog comments and message boards.

    Rootsweb (www.rootsweb.com) is a good example.

    They handle it by adding a converstion program to posts which parses the text string @ and replaces the characters with a graphic rendering on a character-by-character basis. That eliminates the trojan’s ability ot parse the text.

    You MIGHT have to (at least temporarily) shut down the E-mail and Homepage options in the comment section (or either ask posters to voluntarily "doctor" their addresses by adding spaces or, better, underscores between letter), and the generation of a hyperlink based on those entries. Note that this only solves half of the problem; it assures that your posters won’t receive any spam as a result of having their addresses harvested from your site, but the spammers could still use the addresses as fake addresses to send mail. (NOT, of course, that they don’t have their own ways of generating fake addresses by the carload; at least, most of the spam I’ve seen lately is probably attributed back to one-use-only randomly generated character sets.)

    Hope this helps or at least gives you a place to look. To paraphrase Bones McCoy, I’m a physicist, not a hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.