As hard as it may be to believe, there are actually quite a few people out there who like spam. There's the Lonely Type, sitting at home on a dateless Saturday night just waiting to hear "You've Got Mail!" Then there's the type who just feel good inside knowing that someone hooked them up with an awesome deal on \/1@Gr@ and a H0/\/\3 M0rTgaG3. And then there's the Hormel folks, whose 2006 Annual Report stated that 33% of SPAM purchases were for "gag and joke purposes specifically related to unsolicited email." But Adam Golebiowski isn't in this crowd; like most of us, he doesn't like spam at all.
Every once in a while, a spam message will slip past Adam's greylist/SpamAssassin filter and prompt him to respond with a simple click of the Delete button. A recent message, however, piqued his interest. It was from "an old time frend from hig school," who was writing to tell him how "many riches [he] had become" after "findouting about the gratest webs," which sold a database of "all the infos to become a business success." Tempted by potential of infinite wealth and a much needed break from a late night of studying, Adam clicked through to the website -- err, I mean -- the "webs."
It wasn't a phishing or virus-laden site, just a simple page with a few input field that the spammer put up to sell his "ultimate business infos." Adam was a bit surprised that, despite having a university-fast Internet connection, the page took a long while to load. It probably had something to do with the fact that the "City" field was a dropdown box that apparently contained every city that ever existed:
In addition, none of the images on the page were loading, so Adam did a quick View-Source. That yielded a roughly two-megabyte HTML page with all sorts of references to images and a JavaScript file that looked like this:
<script src="ftp://jspm:[email protected]/public_html/script.js">
Adam couldn't resist, he had to try it. Not only could he FTP in to --------.com with the username/password of "jspm/aa992V", he could also telnet in to a shell account. And on top of that, all of the spammer's files, including the web pages, the mass-mailing program, and a list of over a million email addresses, were all accessible with full rights over the FTP connection. Were accessible: for some reason, that giant email list no longer exists on that server ...