Here’s another spammer-scammer that came this morning from fahad at clickingz dot org:

Dear Caspar Green How are you? I am Fahad Hassen, a php developer from Clearwater working with website security. I am writing to ask whether you are aware that your domain configuration has serious security issues which lets anyone use your email address without your authorization? Just to prove this to you, I can send an email to you from "your email address itself". Do you want me to send an email to you from your mailbox itself, so you can see the problem? I found your website while researching the websites using the wp-e-commerce plugin, as part of a security research to strengthen the plugin's security. I also found that your website's wordpress files are not protected, which means by right clicking and checking the source code of the website, almost anybody can figure out the framework you are using (wordpress), its version, the themes and plugins you are using etc. A competitor or anybody interested in your site can easily duplicate your site since the whole structure of your site is exposed. Further, since wordpress is very prone to hacking and hackers target the open URLs of the system such as wp-admin and wp-login and other common files, your site is always under the risk of attack. To overcome this, you will need to takeaway all the traces of a standard wordpress site, so no attacks/hacking will work on your site. For anybody viewing the "source", all they will see is nice and clean HTML and no traces of wordpress. I am sure you understand the concerns I have raised, and I can fix these for you for a very modest fee if you wish. Please let me know. Thank You and Regards, Fahad Hassen Senior PHP Developer +1 727 474 1044 Clickingz Security Research Lab, Clearwater FL. 33760

So I go to clickingz.org to see what this Fahad’s site looks like. Here it is:

Screenshot of clickingz dot org

Nice!

I don’t guess I’ll actually send this back, but for anyone else whose thinking of taking him up on his offer, I offer the following response:

Dear Mr Hassen:

Thanks for your offer to fix the security issues on my site. Your own site looks real good, by the way, and I particularly like the way you have all the directories on your server root exposed. Free tip for you – if you’re using an Apache server, you can just add a line to the .htaccess file in your root directory that says:  Options -Indexes and that’ll take care of your security issue. It’s a simple one-liner and for a security expert, like yourself, it really would be good to make sure you have this basic measure in place on your own site.

I’m also particularly interested in your offer to harden the security of my exposed wp-e-commerce plugin, since it isn’t installed on my site. And yes, I’m aware that my site exposes that I’m using WordPress. In fact, I wrote a blog post about it just a couple weeks ago that you may be interested in. WordPress is a fairly secure platform. Of course, like any software, it has it’s problems. If you’ve found a specific security issue, however, I’d love to know, and you really should submit a ticket to the folks at WordPress so we can all sleep better at night, knowing it’ll be taken care of in the next patch.

As for your ability to send email that appears to come from my own account, I am aware that it’s pretty easy to spoof an email’s “From:” header. In fact, I’ve spoofed this email’s header so it will appear to come from fahad at clickingz dot org. Can you please tell me more specifically, how you intend to prevent anyone from sending mail using “my email address itself?” Will you also spoof my IP, or will you be bouncing it off a few proxies? I’d just like to know before I commit any money, though I’m sure your fees are, as you say, very modest.

Thanks again for your kind offer. I’ll look forward to hearing from you again soon.

Sincerely,

Caspar