Ok, well not really. I’ve never once intentionally sent any spam emails before, and none of my websites collect emails or even send any out…. or so I thought that’s what they were doing.
Years ago (we’re talking 1999 here) I headed over to hotscripts and grabbed a generic form email script. This particular script was written by Dennis of DarkMix.net (which no longer exists anymore, so I assume Dennis had the same problem)
The problem was with the following lines of code that I just seemingly noticed:
$headers = "From: $Name <$Email> \n";
$headers .= "Reply-To: $Email\n";
$headers .= "X-Mailer: Darkmix Mail Sender\n";
$headers .= "X-Mailer-Version: 1.1";
I’m sure many of you can spot the problem. It’s very easy to add whatever I want to that header by entering a creative email address. Worse, this code didn’t use the $_POST or $_GET variables either. It relied on register globals.
Anyway, I caught this problem well over 6 months ago, and the site it was on isn’t even on the internet anymore. I was just reminded of it while perusing some old legacy code at my company and remembered that I’d forgotten to blog about this. All in all it only sent a few emails before I noticed something was funny. No harm no foul I suppose.
Let this be a lesson to those who release free code on hotscripts, as well as to those who blindly use code found from such repositories.
October 25th, 2006
It seems like the MySpace stories in the news get stranger by the day, and this one is no exception. Police in Farmington, Conn have charged a 13 year old girl with criminal impersonation for creating a MySpace profile claiming to be her teacher. The article doesn’t say what the profile said, but we can probably assume that it wasn’t nice things.
Now, I’m not denying the school should do something about this issue – they should. The consequences could be bad if a student were to send a confidential message to the teacher, or if the blog said something referencing a student. Do I think they should have charged her with criminal impersonation? Hell no.
If we look at the legal defintion of criminal impersonation then we notice some nice red text there. (note: I know this is a colorado definition. I check the Conneticut law and it’s the same. I picked this page because it highlights what I want to talk about.)
It’s hard to see how creating a fake MySpace about a teacher gives this particular 13 year old any unlawful benefits, and it clearly doesn’t subject the teacher to any legal proceedings.
Hopefully this will all be handled without lawyers or prosecutors and the girl will learn an important lesson about what you can and can’t post on the internet (although legally I think she had this right).
While we’re on the lesson train, maybe schools will take note and learn that:
a.) Matters like this are better handled with sit down talks between teachers, students, and parents.
b.) They can’t control what students do on the internet outside of the classroom.
Update: I should probably add that IANAL, so don’t go creating fake myspace profiles because I said it should be legal.
October 25th, 2006
