We're not part of the solution

A Brief Lesson in Email Spam

I received an urgent support ticket yesterday from a client’s hosting provider. It said that email spam was originating from our client’s website. It was the typical email that most people refer to as a “Nigerian email scam” or a “419 scam.” Here’s the email:

Dear Friend,

Greetings in the name of God,Please let this not sound strange to you
for my only surviving lawyer who would have done this died early this
year.

I prayed and got your email id from your country guestbook.I am Mrs Rose
Holtsbery from London,I am 58 years old,i am suffering from a long time
cancer of the lungs which also affected my brain, From all indication my
conditions is really deteriorating and it is quite obvious that,
according to my doctors they have advised me that i may not live for the
next two months,this is because the cancer stage has gotten to a very
bad stage.

I was brought up from a motherless babies home was married to my late
husband for twenty years without a child,my husband died in a fatal
motor accident Before his death we were true believers.Since his death I
decided not to re-marry,I sold all my inherited belongings and deposited
all the sum of 10million dollars with a Bank.

Presently, this money is still with the bank and the management just
wrote me to come forward and claim my money because they have kept it
for so long or rather issue a letter of authorization to somebody to
receive it on my behalf since I can not come over because of my illness,
or they get it confiscated.

Presently, I'm with my laptop in a hospital here in Switzerland where I
have been undergoing treatment for cancer of the lungs. My doctors have
told me that I have only a few months to live.It is my last wish to see
that this money is invested to any organization of your choice and
distributed each year among the charity organization,the poor and the
motherless babies home.

I want you as God fearing person, to also use this money to fund
church,mosque, orphanages and widows,I took this decision before i rest
in peace because my time will soon be up.

As soon as I receive your reply I shall give you the contact of my
Doctor Legal practioner(lawyer) who will issue you a letter of Authorit
y that will prove you as the new beneficiary of my fund.

Provide me with your information so i can send it to the bank as the new
beneficiary and issue you a letter of authorization.

Below is the information needed from you:<

FULL NAMES:__________SEX: _____ AGE: ______MARITAL
STATUS:_______________COUNTRY: ______
CONTACT ADDRESS: ________________________PHONE NO#___________FAX
NO#_________________OCCUPATION:______________

Please assure me that you will act accordingly as I stated herein.Hoping
to hear from you soon.

Mrs Rose Holtsbery

I had no idea where to begin solving this issue, so I called Rackspace, the hosting company. The support folks confirmed that the email was originating from the server and ran some diagnostics to locate the source. We quickly found the problem and I got an education in spamming…

On the client’s website, there is a folder cleverly named “uploads,” which stores all images and documents uploaded through the content management system. Some lazy web developer (me) had set the permissions on the folder to 777. What this means is that basically anyone has read/write privileges on this folder. Scammers use bots (automated scripts) to crawl the web looking for open folders like this. When they find one, they attempt to write a simple PHP script into the folder. This script is the spam mailer, but it uses your server to do the dirty work. We found a script named “isunn.php” in the uploads folder. If you navigated to the file in your browser, it looked like this:

Click on the image to see a larger version:
spam-GUI

Pretty slick. It’s basically an email spam GUI. You simply enter the details, including the number of people you want to email and hit the SEND button. Easy peasy.

Anyway, I thought it was interesting to get a brief education in the mechanics of spamming. And the lesson is: don’t ever set folder permissions to 777 on your web server.

Previous

SOLVED: IntelliJ IDEA LESS compiler failure

Next

Converting SVN repos to Git (for dummies)

1 Comment

  1. Dennys

    Hi folks!

    There is another important thing, always filter the upload file by mime type to accept only the necessary types like images(png,jpg,etc) and documents(pdf, docx, etc)

    []’s
    Dennys Fredericci

Powered by WordPress & Theme by Anders Norén