[ipac] Exploit of horizon email capability

Tyckoson, Mary Ellen Mary.Tyckoson at sjvls.org
Wed Dec 27 16:38:39 EST 2006 

Just to follow-up.  This is definitely a scripted attack.  After turning
email function back on we received an autoreply to a single bib sent by
HIP2 to washpost at 12:05, then at 1:06 we received 44 autoreplies and
the same bib records as yesterday were used. I'm guessing that the first
was a test program, and the big batch an hour later was generated based
on the positive result of the test. I guess we are leaving the email
feature turned off until there is a way to thwart this type of abuse.   
I've created a log express entry, not that I expect much of an answer.

Heavy sigh....

Mary Ellen

-----Original Message-----
From: ipac-bounces at lists.tblc.org [mailto:ipac-bounces at lists.tblc.org]
On Behalf Of Tyckoson, Mary Ellen
Sent: Wednesday, December 27, 2006 8:10 AM
To: Dynix's Horizon Information Portal,formerly iPac (discussion)
Subject: RE: [ipac] Exploit of horizon email capability


If you think about Library Elf's ability to script logging into HIP, any
version, and scraping info on a patron's account, you can see that it
probably isn't that hard to script an attack on someone's mail server
using HIP, regardless of platform or version.

Yesterday, after over 200 automated replies from the Washington Post I
turned off the email function on both of our HIP servers, even though it
was clearly our second server being used based on the holdings info
attached to the bib.  Whoever did this seemed to be using the same 5 bib
records over and over again, which is what makes me think it was
scripted.  Between 10 am when we received the first automated replies
and 1 pm when I turned off email and rebooted the server the same few
bibs were sent in batches of 50-80 messages, roughly an hour apart.  I
may turn email back on again today to see what happens.  I enabled
Symantec AV's Email worm feature on that server which may catch it if it
starts up again. Usually I leave that disabled on HIP because the server
screen fills up with notices of all the bounced emails when people type
their email address wrong.

I would agree that the current email function on HIP could use a little
security to make it harder to use as a tool to indiscriminately send
email to any address.  We've had a case or two in the past where someone
used HIP to harass someone.  Even though all you can send is a bib
record, careful selection of those titles can result in pretty nasty
anonymous emails.  The victims weren't overly thrilled that we have no
control over who uses the feature and really no easy way to determine
who sent the messages.  Luckily neither was a library user so they were
both fine with just blocking mail from our domain after we explained the
situation.

*****************************************
Mary Ellen Tyckoson
Library Program Manager
San Joaquin Valley Library System
559-488-3462
Mary.Tyckoson at sjvls.org
"Assumption is the mother of all screw-ups" - Wetherns Law
*****************************************

-----Original Message-----
From: ipac-bounces at lists.tblc.org [mailto:ipac-bounces at lists.tblc.org]
On Behalf Of Greg Barniskis
Sent: Wednesday, December 27, 2006 6:51 AM
To: Dynix's Horizon Information Portal,formerly iPac (discussion)
Subject: Re: [ipac] Exploit of horizon email capability


ARNOLD, RANDY wrote:
> As well as the version of HIP, does the platform matter?   Is this
just
> Windows Server vulnerability?

The platform should not matter because it is HIP accepting the input 
and creating the output. I don't know if HIP version matters. It may 
not even be "vulnerable" as such. The problem is that it /might/ be.

Basically, any application that lets you put in arbitrary 
destination email addresses will pique the interest of the spammer 
community and invites them to probe rather earnestly if/how it can 
be exploited to relay their own messages.

As long as HIP really only lets you send HIP content, the problem 
rates as an annoyance only, but the interface/API should still be 
fixed to be less "interesting" to the spammers. Otherwise we will 
all have to deal with the bounces and other noise generated by their 
probing, as that will never cease as long as there is a remote 
chance it can be exploited.


-- 
Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at scls.lib.wi.us>, (608) 266-6348
_______________________________________________
ipac mailing list
ipac at lists.tblc.org
http://lists.tblc.org/mailman/listinfo/ipac

_______________________________________________
ipac mailing list
ipac at lists.tblc.org
http://lists.tblc.org/mailman/listinfo/ipac

More information about the ipac mailing list