Link to home
Start Free TrialLog in
Avatar of scottyh56
scottyh56

asked on

Where is responsibility for spam hacking?

I use WebAssist Universal email version 2.5.4, a Dreamweaver PHP extension to place email forms on a site that I have constructed for a pretty big UK charity.  However the host closed it down today because of spam being sent.

Users can fill in forms on several pages to send emails to people within the charity - the recipient emails are coded into the forms on the site. No database is connected to the forms.

The host is not being helpful at the moment - almost accusing the charity of sending the emails themselves. They say:

 "It appears that this mail may have been sent through an exploit in one or more of the scripts on your system. We would ask that you review the code on your website to remove any vulnerabilities that may allow the scripts to be abused to send emails. If the scripts are from a 3rd party software we would advise you
 contact the vendor for security patches or updates to their code."

It seems I cannot WebAssist because I have no 'Support Incidents'. So no help there and the host (Pipex - major UK listed co)  have blocked access to the server so I cannot see what has happened there.  Shared hosting account details are here http://www.webfusion.co.uk/hosting/ .

Pipex say before sending the site live again I must tell them what I have done to rectify the situation. If someone changed the code on the site then are the host not in some way responsible? I am really not sure how to proceed. Helpful guidance at a level appropriate to someone who is security illiterate will get rewarded with the points - you may have to help me respond to a couple more emails.

Thanks

For the record I replied to their email as follows:

"Hello

My client, a UK charity, has forwarded me this email.

There are forms on their site for submitting emails from site users only to administrative contacts at the charity. There is no script on the site that unamended could send emails to anyone outside the organisation. The
recipient names are hard coded into the files that are placed on the site so this presumably means that a third party has changed the code on the site - in which case placing the original files back onto the site will rectify the situation.

I would be able to do this in 15 minutes but it seems thta you have blocked
access to the server. Please confirm - I am unsure how I can diagnose what
is happening without accessing the server..

Alternatively a third party has placed new files onto the site, in which case my action suggested above will have no effect.

Can you confirm that this has not happened?

It would be helpful to us if you could explain more about what has happened since my client naturally assumes that their files on your servers are secure. As a well known UK charity they do not want their name associated with sucn activities. What is there in place to prevent this recurring after the situation is corrected?

Thank you

Scott "
SOLUTION
Avatar of ppfoong
ppfoong

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of noci
noci

and to answer your question about responsibility:

please read the contract, i'll bet that it shoves all responsibility
to you (well the owner of the site).

And are you sure you can't access the site anymore...?
Maybe you need to use a different tool like ssh in stead of http... (unix)
or rdp for windows to access that system.
Also check if sftp/scp might be needed if pure ssh is not allowed but only the
file transfer method.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of scottyh56

ASKER

Hello all

Sorry I have not been able to get back but things are currently as follows:

The script I use is Universal email by WebAssist, a Dreamweaver extension provider.

I am using php / mySQL on Unix server using Mail for Linux

The host has explained thta the spammers are using 'bcc spam injection'

I have an updated script from WebAssist - they say that this together with amending trigger to be submit button with unusual name (ie not 'submit') will cure problem. I assume that this however could be 'identified'.

The host is sceptical too but I have set something up and we are testing.

I suspect that I have purchased a script with holes in it....

Right now I may not need more advice but will return and allocate points to those who have provided most useful comments.

Thanks

Scott
> .. are using 'bcc spam injection'

is this a php script?
Are you on a hosting provider which shares your websapce with others, probably a name-based virtual domain?
If both is true, I'd remove all scripts and close this webspace immediatly. You're prone to countless web applications security vulnerabilities (your bcc spam injection is most likely just one of them).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for contributions.  The script did apparently deal with the issue if the correct option was taken - unfortunately the documentation did not adequately reflect the real meaning and consequences of the various options presented.