Message boards are not yet dead

Once upon a time in the internet (~10 years ago) message boards were all the rage. In the age of Web 2.0 they were thought to have gone to the place in the ether where old Websites go.

Unfortunately, for SophosLabs employees this morning message boards are not yet dead. I say unfortunately because the most invidious part of our job, whether analyzing spam or malware, is exposure to Child Pornography. All the sites conformed to:

/(?:www\.)?[a-z0-9-]{4,20}\.[a-z]{2,3}(?:[\.a-z]{2,3})?\/(?:bbs|
wwwboard|forum|webboard)\/messages\/\d{1,6}\.html/i

While analyzing detections of malicious websites a colleague pointed out five separate websites containing 60 instances of posts enticing readers to various child porn related sites. The posts all have a subject referencing ‘lolitas’ and contain other words that would feasibly be on an offensive words list.

The posts contain some JavaScript obfuscation to redirect them to another website.

This attack raises several questions:-

  1. Why are the message boards not scanning for offensive posts?
  2. Why do the message boards allow JavaScript?
  3. Why do the messages boards allow anyone to post?

SophosLabs have been in contact with the IWF and reported these sites.

Webmasters should ensure that for areas of their websites where public posting is allowed, the user input is screened.