Of exploitable domains

Chalk up the Indian Health Service branch of the federal government as another example of exploitable government domains. In culling out comment spam yesterday, I noticed that a number of comments had links to URLs starting with “ihs.gov”. Now, say what you will about the government, but at least it doesn’t usually spam this blog, so it’s a little odd to see .gov links among the spam. A closer look, though, revealed that this links were of the following form:


where I’ve replaced an actual spam URL with “http://spam.url.here”. As it turns out, the first part of the above points to a little script on the IHS website that will display any URL you like in a frame wrapped by an IHS banner (try it out by replacing the fake URL with anything you like). Which, of course, allows spam URLs to slip by blacklists by masquerading as something more innocuous. As, perhaps, a side benefit, it makes it look like the site is endorsed or at least condoned by a governmental agency.

It hardly even needs to be mentioned that having such a script readily available on one’s website is, at the least, highly irresponsible, and possibly actionable if someone were dumb enough to interpret the frame wrapper was an endorsement (and, as history teaches us, there’s always someone dumb enough). → …and illustrates yet again why frames suck. But that’s another story. Even more so if you keep in mind that, since it’s on a government website, you’re paying for the privilege of allowing spammers to cloak their URLs. And it should be pointed out that the IHS isn’t the only example; until recently the comment spammers around here were using a virtually identical script on the state of Mississippi website.

That’s not to say that governments are the only culprits. Plenty of corporations and other private organizations have similarly exploitable websites, but (a) none, that I can recall, have made their way into my comment box and (b) if one did, I could (and would) refuse to do business with the offending organization. Not so with the government; since I have to pay them anyway, the only thing I can do is bitch about them on the Internet.

(And yes, before anyone asks, I did send an email to the IHS webmaster pointing out the vulnerability and suggesting that it makes his organization look bad to facilitate spammers like this)

Leave a Reply

If your comment doesn't appear right away, it was probably eaten by our spam-killing bot. If your comment was not, in fact, spam (and if you're actually reading this, it probably wasn't), please send me an email and I'll try to extricate your comment from our electronic spam purgatory.