tips and tricks for movable type

"mail this entry" used for spam
November 23, 2003

SEE UPDATE BELOW

If you are using Movable Type's "Mail This Entry" feature on your blog, you are advised to rename your mt-send-entry.cgi file, or remove the feature entirely.

If you are not using the feature on your blog, you still need to either rename the script, disable it by changing the permissions, or remove it from your server altogether.

Spammers have discovered a means of using this script to send messages that will appear to be coming from your server.

Renaming the script won't prevent them from finding it if you continue to use the feature on your site, but it will slow them down a little if everyone chooses a unique name for the script.

Also, if you're using other versions of this feature such as Pop-Up Mail This Entry or MT-Mail-Entry, you may want to take a similar approach to those as well.

If there are any developers out there interested in working on a fix for this vulnerability, please leave a comment and I will contact you with the details of the method being used (if you need them).

Update: Ben posted a fix in the previously-mentioned forum thread:

Before line 40 in mt-send-entry.cgi, add these lines:

die "Invalid from or to value"
if $to =~ /[\r\n]/ || $from =~ /[\r\n]/;

Save mt-send-entry.cgi, upload to your server in ASCII mode, and CHMOD permissions to 755 again (if necessary).

(Cross-posted at Virtual Venus)

09:48 am | bugs | send link

Comments

It shouldn't be too hard to limit the string length in the script - say to 30-50 characters. That alone may make it unattractive to spammers as they would then need to call the script many times instead of just once, assuming they could get everything they wanted in there. This also might be a good time to hack in some visual safeguards (such as a digital number/letter sequence) that can not be read my machines for confirmation.

by Woody | 11.23.03 12:23 PM

mt-send-entry.cgi isn't the thing that mails comments to the author is it? i just wanted to clarify. thanks :)

by ruthie | 11.26.03 12:38 AM

No ruthie, it's like a "Mail to a friend" feature.

by Frank | 11.26.03 09:28 AM

Sorry, my bad, yes it is. I also have a mt-mail-entry.cgi which is what I was talking about above. Confusion! :)

by Frank | 11.26.03 09:42 AM

is that line meant to replace

die "Missing required parameters\n";

or add to it? ..and shouldn't it have { } etc..?

by demonsurfer | 11.27.03 01:18 PM

new mt-send-entry.cgi file released by MT:

link

by demonsurfer | 11.27.03 04:10 PM

Woody, visual anti-robot tests are not a good solution as it prevents people with poor or no vision from using the service. If a robot is doing it, there are a couple solutions requiring no interaction from the user. Validating against possible referrers, although that would eventually be circumvented, is one. I like your first solution a lot more.

Personally, I can't see the need for giving away what amounts to free anonymous email access.

by jose | 11.29.03 10:32 AM

TrackBack: 24
(URL: http://www.thegirliematters.com/sf/mt-track.cgi/162)

» "Mail This Entry" Used For Spam
Excerpt: If you are using Movable Type's "Mail This Entry" feature on your blog, you are advised to rename your mt-send-entry.cgi file, or remove the feature...
Weblog: Virtual Venus
Tracked: 11.23.03 09:58 AM

» New security flaw found in MT
Excerpt: "mt-send-entry.cgi is a big whopping security risk"
Weblog: existentialmoo
Tracked: 11.23.03 12:22 PM

» "Mail This Entry" Used For Spam
Excerpt: SEE UPDATE BELOW If you are using Movable Type's "Mail This Entry" feature on your blog, you are advised to rename your mt-send-entry.cgi file, or...
Weblog: Virtual Venus
Tracked: 11.23.03 08:28 PM

» Don't Be a Spammer!
Excerpt: Last weekend, I had to deal with almost 4,000 bounce messages that were sent "from" my domain. I blamed it on someone using my domain for the reply to address, but now I wonder if it wasn't a new version...
Weblog: scriptygoddess.com
Tracked: 11.25.03 08:06 PM

» Getting Scripty!
Excerpt: I wish I had the time to implement all of the things I want to do on this blog, but...
Weblog: Big Pink Cookie
Tracked: 11.25.03 08:13 PM

» Don't be a Spammer !
Excerpt: Huge news about a new problem w/ MT and spam. It now deals with spam being sent from your server. YUCK. Read. Act. NOW!...
Weblog: Daily Dictum
Tracked: 11.25.03 09:52 PM

» Why Comment Spam Sucks
Excerpt: Why comment spam sucks; Porn spammers have come up with yet another tactic...
Weblog: CeeJayOz.com
Tracked: 11.25.03 11:41 PM

» Why Comment Spam Sucks
Excerpt: Why comment spam sucks; Porn spammers have come up with yet another tactic...
Weblog: CeeJayOz.com
Tracked: 11.25.03 11:44 PM

» Die, Spammers, Die: Part 72
Excerpt: It's not bad enough that they use your comments to spam you and your readers, now the little weasels have...
Weblog: Solonor's Ink Well
Tracked: 11.26.03 06:01 AM

» One more "honey-do" for MT
Excerpt: If you're running MovableType, here's another little programming "honey-do" in order to make the world a more spam-free place. Kudos to Girlie who learned of this problem the hard way to make us all aware that it's a big world...
Weblog: KevinDonahue.com
Tracked: 11.26.03 06:56 AM

» Don't Become An Unknowing Source Of Spam
Excerpt: Girlie is out with an urgent fix Movable Type users should make today!If you are using Movable Type's "Mail This Entry" feature on your blog, you are advised to rename your mt-send-entry.cgi file, or remove the feature entirely. If you...
Weblog: Wizbang
Tracked: 11.26.03 08:33 AM

» Bloggy stuff
Excerpt: New (to me) resource of blog hacks and patches and fixes and tweaks: The Girlie Matters. Things I've learned so...
Weblog: ***Dave Does the Blog
Tracked: 11.26.03 09:05 AM

» Mail This Entry Spam
Excerpt: [the girlie matters] tips and tricks: "mail this entry" used for spam Here I've been using MT for all of a few days and I've had to turn off a feature. Thanks to all who wrote about this so I...
Weblog: My Harmless Hobbies
Tracked: 11.26.03 04:43 PM

» Greetings!
Excerpt: Hey, Everyone. :) How are you? How's life treatin' ya'? :) First of all, I want to thank all of you who were kind enough to leave such thoughtful comments...
Weblog: Thoughtprints
Tracked: 11.26.03 05:11 PM

» Spamming via MT
Excerpt: Again, this is only marginally related to MT-Blacklist or comment spam, but I figured that this was as good a place as any to get the word out. Spammers have discovered a way to use mt-send_entry.cgi to send spam through...
Weblog: MT-Blacklist/Comment Spam Clearinghouse
Tracked: 11.26.03 08:07 PM

» Another way to spam using Movable Type
Excerpt: From the no-good-deeds go unpunished dept. I was reading Mike McBride's blog this evening when I saw his link to...
Weblog: Confessions of a G33k
Tracked: 11.27.03 09:49 PM

» Movable type can send spam
Excerpt: So fix it!. Thanks to Jay Allen for bringing it to my attention....
Weblog: randyrathbun.org
Tracked: 12.01.03 11:09 AM

» Why Comment Spam Sucks
Excerpt: Why comment spam sucks; Porn spammers have come up with yet another tactic...
Weblog: CeeJayOz.com
Tracked: 03.12.04 05:34 PM

« nicer autolinked urls in comments | main | top searches using PHP and MySQL »

main site

tips blog

resources

blog status

recent searches

The information provided in this weblog is licensed under a Creative Commons License.

Simply stated:

Give credit.
Don't sell it.
Spread the love.

Any works herein which are attributed to other creators are subject to their terms of use, not mine.

Note that we're talking content here. You can't use my site design, graphics, etc. Any template examples are exactly that: examples. They're not an invitation to copyright violation. If you're in doubt, ask.

Please blog responsibly.

tips and tricks for movable type

"mail this entry" used for spamNovember 23, 2003

Comments

Post a comment

TrackBack: 24(URL: http://www.thegirliematters.com/sf/mt-track.cgi/162)

"mail this entry" used for spam
November 23, 2003

TrackBack: 24
(URL: http://www.thegirliematters.com/sf/mt-track.cgi/162)