I received an ominous e-mail from my server host Thursday: The DNS service(s) on your server are currently open to recursive queries from the world, leaving them vulnerable to DNS cache poisoning attacks and allowing them to be used to attack other sites. Your server was reported participating in an outbound DDoS attack through means of this vulnerability by an attacker. Please ensure that recursive lookups are DISABLED in yournameserver's configuration to prevent future abuse. If you need any assistance with this ... read more

A few weeks ago, I mistakenly believed that I had closed a PHP mail form vulnerability that let spammers use my web server to send mail. Another batch of penis enlargement and phentermine pitches were sent through my server last night, which I discovered when "rejected bulk e-mail" bounces found their way to me. A spammer exploited a mail script I had written that coded the recipient address like this: $recipient = "info@ekzemplo.com"; I thought the script was secure because users couldn't change the recipient. As ... read more

I just completed a 10-day ordeal dealing with fraudulent charges on two credit cards. On Friday Nov. 18, my card donated $1.89 to the Hong Kong chapter of the relief organization Médecins Sans Frontières. The following Monday, my wife's card spent around $190 with the Ito-Yokado retailer in Japan. These charges were discovered within 72 hours as I reviewed my MasterCard account online. I had just paid for wireless Internet access at a Disney World conference center on Nov. 20, and a day later I became ... read more

I wrote a PHP script that accepts e-mail from web site visitors using a feedback form. The script works with different sites, routing mail to the right inbox with a hidden field on the form: The who field doesn't specify an e-mail address, because that would be easy pickings for spammers. They crawl the web looking for e-mail scripts that can be configured to send e-mail to any recipient they specify. Instead, my script was written to send mail only to accounts on my server: $recipient = $_REQUEST['who']; if ... read more

I started the day with a dead name server that knocked more than 100 sites offline, including Workbench, the Drudge Retort and all of the Buzzword.Com bloggers. I've been using BIND for years and thought I had run out of interesting new ways to break it. Overnight, most name requests failed and my server log filled up with errors like this: lame server resolving 'www.cadenhead.org' (in 'cadenhead.org'?): 67.19.3.218#53 A lame server is one that's not responding to a name request it is expected to handle. Requests ... read more

Considering the sophistication of the scam e-mails that I've been receiving lately, there must be a huge black market in phishing, the practice of tricking people into revealing their passwords from ecommerce sites and banks. A phony Amazon.Com e-mail I received last night is pretty convincing: Dear Amazon member, Due to concerns we have for the safety and integrity of the Amazon community we have issued this warning. Per the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, ... read more

There's an ongoing dispute between the right-wing group ProtestWarrior and a left-wing "hacktivist" accused of breaking in to their servers and accessing the credit card information of 5,000 customers of the group's online store. While that allegation is under investigation (no charges have been filed), ProtestWarrior makes an unusual admission: They discovered the possible theft of customer credit cards in February, but didn't tell any customers until July 5. The reason we haven't made this announcement earlier ... read more