Monday, May 01, 2006

First spamorham.org hacking attempt?

When I built the backend code for spamorham.org I was sure that some malpeople would attempt to mess up the results by voting deliberately incorrectly. And I was worried that other people might try automate this messing with the system.

I now have the first evidence that someone (within just two days of launch) attempted to subvert the controls that I put in place. Here's part of the security log that my system generates (I've removed the IP address used, but it was in Canada):

Epoch Time Time Since Page Served Error

1146387238 94 captcha wrong
1146387295 52 captcha wrong
1146387997 42 captcha wrong
1146392018 36 captcha wrong
1146392675 24 captcha wrong
1146394141 25 captcha wrong
1146416725 9309 hash doesn't match, captcha wrong
1146419961 205 hash doesn't match

This person (or robot) got the CAPTCHA wrong repeatedly (which would have caused their connection to be tarpitted) and then the hash match failed. The hash match failure means that fields hidden in the page were tampered with (or that the IP address the user was using suddenly changed in the middle of a session---which is possible if their Internet connection went down and up between pages). The hidden fields are used to track the exact message that's being examined, timeout information and the random data used to generate the CAPTCHA. Any tampering is detected automatically without maintaining server-side state (I blogged about this system earlier).

So it's possible that this happened for some innocent reason, but it looks to me like someone tried to see if the controls in place were subvertable and gave up.

Labels:

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home