US Dems fill inboxes with 419 scams Scammers pumping out emails that try to trick recipients into parting with large sums of cash are getting a helping hand from the Democratic National Committee. According to a researcher with anti-spam company Cloudmark, 419 fraudsters have been relaying a "significant" amount of messages through the democrats.org domain name …
I don't often comment, however this article got to me. Was it the subject matter? Was it the journalist's understanding that no email should ever be sent through another email system, even if a CAPTCHA (that is completely breakable) is used without some form of safeguard? No, it was neither of these things, it was the blatant attack on PHP that I found offensive.
How did the journalist come to the conclusion that the form in question causing the problem was PHP and this required talking about? Was it an assumption because much of the site was written in PHP? Would the article have struggled to hit the wordcount if it wasn't PHP?
From my cursory glance at the website this seems to be a badly put together front end* where every link that points to a definite PHP element refers to it with the extension .php. As the form doesn't reference a script with this attribute then we can't assume that the script in question is PHP, it may have been something the site designer inherited in a different language, does this make it excusable? No.
If the site designer chose to add this 'feature' to the site then please with all journalistic endeavour illustrate this as the issue, don't blame the language that the developer used for this site embellishment as the issue.
There is the possibility that the form used on the website is referencing something in the backend written in C, Perl or even ASP, no matter how unlikely, and ultimately that the fault lies not with the programming language but with the BAD THOUGHT PROCESS BEHIND THE FORM. No matter what language, or the addition of a CAPTCHA , are going to stop miscreants from misusing such a system, to think so is naïve! Quite frankly, this sort of form is a bad idea, it should not be allowed on a public site.
To compound my point, HTML is inherently accessible, most user-agents can understand the DTD and alongside the educated use of elements and attributes that the W3C and WCAG have created guidelines for, that they should be almost automatic for most developers. In the case of this site, the accessibility levels fail quite dramatically, yet you wouldn't catch me writing an article saying that a site, written in HTML has caused a failure in accessibility, no its a problem with the developer writing the site NOT the choice of language.
I'm definitely not excusing the lacklustre creation of the website, the skipping of basic security methodology and especially not the front end coding which is, quite frankly, dreadful, however I do take offence when a journalist takes a thinly veiled swipe at a programming/scripting language because someone has done something stupid, just to fuel their own personal dislike or to start a flame war.
* If any website should comply with accessibility guidelines (and that's all of them by the way) it is that of a major government party and it should never, never use table for layout purposes, let alone not associate labels with form controls. There is also the issue of the page not working correctly with JavaScript disabled, an advertisement for unobtrusive JavaScript if there ever has been one, I could go on...
Got to love how spammers are able to spell Somalian name!
U in English normally essential after a q. It was added to the name of Nunavut’s capital, changing it from Iqaluit to Iqualuit, in a press release by Prime Minister’s staff.
As any Canadian would know by now that name of Nunavut’s capital, Iqaluit, means many fish in Inuktitut. However, when that extra u is tacked on after the q, the meaning suddenly changes to “people with unwiped bums,”. Just google "unwiped" in the news section!
I suggest that Canadian politicians hire these spammers, and so they wouldn’t have worry about offending our northern brothers, and with a single stroke they can solve the world leading spam crisis.
For what it's worth, my observation of my friends and acquaintances[*] leads me to believe that Democrats don't put much emphasis on either security or preventing crime in general, nor on punishing criminals afterwards (the modern American "catch-and-release" revolving-door judicial system). One could speculate for years on exactly why that's the case, but I won't do that here :)
I read something the other day (can't remember where it was), where some British person had got the two main American political parties mixed up - he said:
"Tell me again, which party is the evil one, and which party is the stupid one?"
That seems to sum it up pretty good ;)
(For those who don't know, it's the Republicans that are evil ;) and the Democrats that are stupid ;) )
All of 'em can be extremely annoying and hard to reason with, at times.
* The aforementioned friends and acquaintances consist of a fairly even mix of Democrats, Republicans, Libertarians, Independents, etc.
Not many could be fooled by these scams. There aren't perhaps but 4 people, rational ones anyway, who would actually open any message from or routed through the domain of any political party. If I could be on a "do not call" list that included political parties, I'd do it in a heartbeat. Come election season, the political pushers become bigger pests than cockroaches in Miami, pity you can't treat them the same way.
The only appropriate icon for the two party political cartel. "O Lord, bless this thy hand grenade, that with it thou mayst blow thine enemies to tiny bits, in thy mercy."
I was rather impressed with this post. I must admit that I thought the article was about bad design, not a criticism of PHP but clearly given the length of g's post I must have been wrong.
Can we have a bucket of water icon to douse the flames? The only alternative seems to be a waste of good beer.
Sent myself a quick test mail from the page in question. From the headers:
Received: from web1.dnc.org (web1.dnc.org [192.168.10.71]) by mailservices.democrats.org (Postfix) with ESMTP id 6EAB912E47B for <me>; Mon, 31 Aug 2009 11:17:11 -0400 (EDT)
Received: by web1.dnc.org (Postfix, from userid 30) id 4F7C1482BD; Mon, 31 Aug
2009 11:17:11 -0400 (EDT)
Received: from phpmailer ([192.168.10.24]) by www.democrats.org with HTTP
(PHPMailer); Mon, 31 Aug 2009 11:17:11 -0400
Sorry, but it does indeed look like the venerable and frewuently-exploited PHPMailer is at work here. I know that the exploitable nature of the page itself isn't helping, but few (if any) security problems have been improved by the addition of PHP.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
