Roy Davis’s Blog

This morning I was reminded why it is important to use a human test  on all web forms  that allow anonymous submission. My inbox was flooded with responses to inquiries which were made using my email address starting at 2am this morning (when I was asleep).  Am I interested in attending National American University? No. Am I interested in catering? No. Do I want my house painted? No. I have nearly 300 of these in my inbox from different companies. So, what is going on? I began looking into some of the sites involved with the emails and found out right away. All of the sites have two things in common; none of them require any sort of human test prior to accepting anonymous form submission, and all of them sit out some sort of “Thank you for your interest” email as soon as the form is submitted. This combination set up these sites for use in a new form of an old attack. It used to be that nearly all spam was sent with the hope that if 0.01%  of recipients actually buy something, the spammer would make money. But in the world of cyber-warfare, the gain is in the loss of your opponents time, productivity, bandwidth, computing power, and digital storage space. As a hacker, it would be easy to write a small application that cycles through all possible IP addresses looking for web servers which host web forms that allow anonymous submission. Once a site is identified, the app automatically enters email addresses harvested or purchased from some other source and submits the web form over and over, thousands or hundreds of thousands of times. Each submission causes the system to send out a confirmation email to the email address provided, creates a new record in a database, and adds a “follow up on lead” task to someone’s “to do”.  What is the point? To waste American businesses time, productivity, bandwidth, computing power, and digital storage space. This is a real problem, with a simple solution. Make sure all web sites that allow anonymous form submission require a human test like ReCaptcha.