Monday, October 10, 2005

web: Earthlink bites the hand that feedbacks

SPage's law: the part of every Web site with the most problems is the feedback form for reporting problems.

I get a phishing e-mail from "Processing Support <procsupport@earthlink-encryption.com>" titled "EarthLink Network user data confirmation." It invites me to fully verify my identity at a secure form which is actually a link to http://customers.earthlink-encryption.com:4443/?signature=V3pPcOZpKgxLaYBMV...

I visit Earthlink support and quickly find their Fraud & Abuse Submission form, http://securitycenterkb.earthlink.net/fraudmi.asp?route=email.
The form tells you to copy and paste the source of the e-mail message into a text area, and even gives you instructions on how to view the message source. All good so far.

But when you submit, you get a useless generic error page http://securitycenterkb.earthlink.net/error/errorMessage500.asp
So I couldn't report fraud using Earthlink's fraud reporting form!

I guessed that there's a bug in the form processing such that it can't handle large amounts of text in this text area. But many phishing scams use big complicated HTML to hide their contents from spam detectors; in this case the text is in table cells separated by rows of white-on-white garbage text.
<table cellpadding="0" cellspacing="0" border="0"><tr><td><span >Dear</span></td></tr>
<tr><td><span style="font-size:78%;color:#FFFFFF;">Pb</span></td></tr></table>
<table cellpadding="0" cellspacing="0" border="0"><tr><td><span > Ear</span></td></tr>
<tr><td><span style="font-size:78%;color:#FFFFFF;">yP</span></td></tr></table>
... etc.
Does the textarea have a reasonable size limit, does the form warn you it has a size limit, does it have a character counter, does it stop accepting text when you exceed that limit, does it warn before submission, and does the server-side script check? No, no, no, no, no, and no.

Labels: ,