The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 69 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Tue Oct 04, 2005 9:27 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 04, 2005 9:02 am
Posts: 9
Hi All,

I have been concerned lately as a lot of spam have been coming through various forms (contact) on my sites,  I am also worried about sql injection.

With the latest release of Joomla are the forms safe?

Secondly a number of sites are adding "Captcha"images to the forms to stop "bots", though I believe this will cause issues with accessabilities/disabilities and hence the regulations!
Another way I have seen is by asking a simple question - such as add 16+4, (more here), the user enters the answer and sends the form.(See it in action HERE)
I wonder if there is a way to add this to our forms to secure them a little better from "bots" and the spammers! :)

Regards,
Dave ;D


Last edited by stingrey on Thu Jan 12, 2006 11:16 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Oct 05, 2005 9:22 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Hey,

I am suffering the same - **** poker idoits generally. I have loads of these!

Can anyone suggest how to stop them! Please!
Tried "Captcha" and does not work!

Thanx


Top
 Profile  
 
PostPosted: Fri Oct 07, 2005 3:00 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Quote:
I have been concerned lately as a lot of spam have been coming through various forms (contact) on my sites,  I am also worried about sql injection.

With the latest release of Joomla are the forms safe?

Does anyone have any knowledge of this?
Quote:
Another way I have seen is by asking a simple question - such as add 16+4, (more here), the user enters the answer and sends the form.(See it in action HERE)
I wonder if there is a way to add this to our forms to secure them a little better from "bots" and the spammers!

Does anyone know how to do this?
Thanks
Dave


Top
 Profile  
 
PostPosted: Fri Oct 07, 2005 3:22 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 19, 2005 2:23 pm
Posts: 2230
Location: The Netherlands
deejayh wrote:
Hey,

I am suffering the same - **** poker idoits generally. I have loads of these!

Can anyone suggest how to stop them! Please!
Tried "Captcha" and does not work!

Thanx

Captcha did work for me, well.. it excludes most of them. Sometimes something slips through, but most of it stopped.

_________________
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl


Top
 Profile  
 
PostPosted: Sat Oct 08, 2005 6:08 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Thanks for the reply Websmurf,

I really don't want to go down the route of "captcha" as I have a few members with disabilities, and would prefer to have a simple question.

But I also want to know if the forms are safe!
Thanks,
Dave


Top
 Profile  
 
PostPosted: Mon Oct 10, 2005 4:44 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Fri Aug 19, 2005 3:03 pm
Posts: 6046
Location: Indiana, USA
are you using any of joomla!'s email cloaking capabilities?

Is there a reason that the email cloaking won't work for you?

_________________
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick


Top
 Profile  
 
PostPosted: Mon Oct 10, 2005 5:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
nathandiel,
Quote:
are you using any of joomla!'s email cloaking capabilities?
Yes
Quote:
Is there a reason that the email cloaking won't work for you?

I really do not think this has to do with this.
Basically it hides your email addresses from bots.

This problem lies with a Contact Form - Spoofed Form Submissions, either to hit you with spam (mainly about poker sites!) or inject other email addresses to send thousands of spam messages through your site! This can be dire problem as your ISP will close your site down as it is your responsibility! :-*
Quote:
PROBLEM:
Almost every website has an HTML form for visitors to complete. But how do you know that the person who completed the form did so through your website? That is, how do you make sure that no one has 'spoofed', i.e., 'forged', a form submission?

BACKGROUND INFORMATION: SPOOFING SUBMISSIONS & FORGING REQUESTS

Another site to look at:
securephp.damonkohler.com - Email_Injection
"Captcha" has problems with accessablity!
Really want to know if Joomla forms are ok.
Regards,
Dave


Top
 Profile  
 
PostPosted: Wed Oct 12, 2005 8:27 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 12:46 am
Posts: 150
Location: California
What form capablilitys? Theres the new user sign up... The article submission's... Don't know how any of these can suffer from an SQL injection. Are you talking about facile forms? Or something like Ako Comment?

_________________
Joomla & Mambo News, Downloads...
www.primakoala.com


Top
 Profile  
 
PostPosted: Wed Oct 12, 2005 9:21 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 04, 2005 9:02 am
Posts: 9
I believe the standard "contact Form" within **ambo and Joomla.

I know that Akocomment and Akobook had similar injection problems and have now been resolved (I think!).

Dave


Top
 Profile  
 
PostPosted: Mon Oct 24, 2005 4:23 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 22, 2005 9:44 pm
Posts: 159
there's got to be a way (if it doesn't already) to just check the referrer, i would hope. these poker spammers aren't sitting down and typing these or pasting them in on the site, so even the act of checking to see if it comes from the site should cut down most of that.

if that doesn't work, i was wondering if it would be possible to simply declare a variable in PHP (so hidden from the user) in the template file, and then adding a conditional statement to the contact form (again in php, so hidden) which checks to make sure the "password" is correct.

_________________
...www.larynandjanel.com...


Top
 Profile  
 
PostPosted: Mon Oct 24, 2005 5:42 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Hi lpkb,

Thanks for the reply. Sounds good to me to have both of them implememnted in the form especially in the coding of Joomla.

Hopefully someone from the Joomla team can have a look at this and build it in!! :)

Cheers,
Dave


Top
 Profile  
 
PostPosted: Sat Nov 05, 2005 7:06 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 18, 2005 9:09 am
Posts: 32
Location: Australia
I'm desperate for a solution also. These Poker jerks have bombarded my sites with hundreds of these. It is always via Joomla's Contact Component.

In the admin I switched off the option to send a copy of the email hoping that would help. The problem is all these emails come in saying they are a copy of the contact email. Since I have turned off this option these are obviously being automated elsewhere.

The attacks are so bad they have brought my server down 4 times in the last fortnight. Since these attacks have started I have also found hundreds of entries in blocks in my routers log files like

[Remote Managed] Src IP=64.242.88.10
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.239
[Remote Managed] Src IP=203.166.96.240
[Remote Managed] Src IP=203.166.96.238
[Remote Managed] Src IP=203.166.96.240

I also tried the Capcha solutions offered but couldn't get them to work with my server.

I am now receiving hundreds of returned emails sent to me by my ISP and this is causing mail filters they run to start blocking my legitamite emails. I'm desperate.


Top
 Profile  
 
PostPosted: Sat Nov 05, 2005 7:12 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 12:46 am
Posts: 150
Location: California
I haven't run into this problem (yet) if you can narrow down that its coming from the contact component you can always uninstall it and try something like Contact XTD:

http://developer.joomla.org/sf/projects/contacts_xtd

Might hold it off for a while. My guess is the spammers have automated scripts that find sites using the contacts component. So also using a SEF program to redirect the contact component to another URL might help.

_________________
Joomla & Mambo News, Downloads...
www.primakoala.com


Last edited by Matthew Schultz on Sat Nov 05, 2005 7:14 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Nov 09, 2005 10:48 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 18, 2005 9:09 am
Posts: 32
Location: Australia
Being a core component there appears to be no way to actually uninstall contact component other than to physically remove the folder from the server. I did however delete the menu item pointing to this component and created a new menu item pointing to contactxtd instead which I installed. I also changed the SMTP server to use, set up some spam filters and changed the address that the contact mail goes to as well as unticking the setting to stop the copy mail box appearing. Trouble is that it has made absolutely no difference. These spam mails replicated these changes immediately or so dam fast I couldn't notice any quiet spell. The thing is failed mail returned to me says this is a copy of the mail sent yet this has been deactivated.

I don't know if this is related but I notice I can now also no longer access my mass mail function on any of my sites, so now I can't even contact my own members while I can't stop this guy contacting people. Very frustrating.  ???

Matthew Schultz wrote:
I haven't run into this problem (yet) if you can narrow down that its coming from the contact component you can always uninstall it and try something like Contact XTD:

http://developer.joomla.org/sf/projects/contacts_xtd

Might hold it off for a while. My guess is the spammers have automated scripts that find sites using the contacts component. So also using a SEF program to redirect the contact component to another URL might help.


Top
 Profile  
 
PostPosted: Wed Nov 09, 2005 1:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
ausmug
I did similar to you, though not as thorough! I changed the address of the contact email goes to, to see what would happen - same!
What really bugs me is all the bounced failed messages coming back to me! Still need the failure messages to check on the users registering (still amazes me how many cannot correctly spell their own email address! Though some could be the same idiots trying the system out!). I get on average 50 plus per day apart from 2 or 3 the rest are spam. So each day I get aound 48 spam and 48 corresponding email failures!. Heres some email addresses:
bill@texas-holdem.fr
????(various)@poker.net
pokermain@[spam].fr
info@acroduke.fr
mike@acroduke.org
pokermain@freeonlinepoker.de
webmaster@freeonlinepoker.ec forex trading
I wonder if we could change the contact form to check for the name "Poker" (or for other certain words), which will refuse to send it?

I have set up a 400 error system that logs the errors and sends the email to me. Apart from normal errors there are a number of these:
  • http://www......com/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
  • http://www......com/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0

Will have to keep at it! :)
Cheers,
Dave


Top
 Profile  
 
PostPosted: Wed Nov 09, 2005 6:00 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 22, 2005 9:44 pm
Posts: 159
is there a way to use javascript to encode a "password" variable in the component, maybe in the same vein as how it encodes email addresses with the cloaking bot, so the crawlers can't access it?

then it would check for the password before sending the emails--so that no one without javascript enabled can send?

_________________
...www.larynandjanel.com...


Top
 Profile  
 
PostPosted: Wed Nov 09, 2005 7:24 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 22, 2005 9:44 pm
Posts: 159
another thing to consider:

when i set my sites up, I upload Joomla! code with FTP. This (due to the way my host works) results in differing user/group identities between items created inside Joomla! (eg. installed components, files created in MamboXplorer, etc) and the core files.

in order to make some of these things work (eg. contact component) i was forced to set the executable bit.

i am trying an experiment in which i renamed the com_contact folder through my FTP, then recreated it and all the files in it through MamboXplorer (creating directory, then creating all 4 files and cutting/pasting into them).

This allows me not to have the executable bit set and still have it function on the website.

i'm hoping my contact spam will decrease because of this. does this sound feasible or am i barking up the wrong tree?

l.

_________________
...www.larynandjanel.com...


Top
 Profile  
 
PostPosted: Sat Nov 12, 2005 3:27 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Right, after loads of investigation I have found the culprit.

Originally on ***bo 4. something version, I added a recommend component from Sakic.
About a year ago I de-installed after numerous upgrades. But After digging through a load of spam over the last few months I found in many of the emails that were bounced back, the following:
Quote:
free online poker informs you - or even tells you:
free online poker It was Talavera-plasencia-oliver, my disserui and sabec rock-crystal, and my lodgers, after the fashion of the seven-fifteen states ; for he stoop\'d only about a hundred and seventy miles from me. But
---------------------------------------------
Recommend Mambo Component (http://www.sakic.net)


I have now ftp and removed it!! Stopped most (80%) of the spam straight away!

I have now been checking my site and removing by ftp any old stuff which actually does not get removed when you de-install in the backend!

Feels good already! :)
Cheers,
Dave


Top
 Profile  
 
PostPosted: Sat Nov 12, 2005 3:35 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Spoke a little too soon!! - Still getting loads through the contact form in joomla - same as before:
Quote:


Is there any way in the contact form to NOT process the form if certain words (such as POKER or ACRODUKE) are entered anywhere on the form??
Please help
Thanks,
Dave


Top
 Profile  
 
PostPosted: Sat Nov 12, 2005 4:01 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 18, 2005 9:09 am
Posts: 32
Location: Australia
Since it is a core component causing this problem I wonder if it's possible if someone from  the development team or some other  experienced member  could chime in with some suggestions. It is exactly the same scumbag causing all of us this grief so there's got to be some way to stop him. ???


Top
 Profile  
 
PostPosted: Sat Nov 12, 2005 5:37 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
spot on ausmug! "scumbag".

Hopefully someone from the dev team can help us add some sort of option in the backend to exclude various words such as "POKER".

Can anyone can help??

Regards,
Dave


Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 5:30 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 18, 2005 9:09 am
Posts: 32
Location: Australia
I'm just bumping this issue.

I am receiving nearly a hundred email failure return notices per day from my ISP for spam emails this Poker jerk is sending through my Joomla contact form. I've been busy recommending Joomla to all the other Australian Mac User Groups for their sites , having used Mambo and then Joomla for over 2 years. However if there is no solution for this problem I'm going to have to reconsider recommending it until this issue is addressed.


Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 7:49 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 12:46 am
Posts: 150
Location: California
Theres no way to stop this by even using a different mailer for Joomla is there? I mean if you tell Joomla to use sendmail or smtp instead of the PHP mailer I figure you can tell the server to filter the outgoing mail (say only allow the mail to go to the email address in the contact list so at least your the only one getting spammed) Or is the hack just making Joomla an open relay?

_________________
Joomla & Mambo News, Downloads...
www.primakoala.com


Last edited by Matthew Schultz on Mon Nov 21, 2005 7:51 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 9:26 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 18, 2005 9:09 am
Posts: 32
Location: Australia
I have Joomla set to use SMTP pointing to my local mail servers SMTP address which authenticates the sending IP is on my network. All mail is then passed on to my ISP's SMTP server but all the returned copies of emails sent by the spammer say using PHP Mailer in the headers. I've swapped from default contact to contact xtd, turned off the copy mail function and even hidden the form interface just showing a single email address that is hidden by the anti spam bot. I've done everything possible yet this guy uses my server with total freedom.

I've been developing sites since '93, been running my own servers with nearly a dozen sites since around 2000 all without any problems with spammers yet this Joomla install seems to be totaly open to abuse. I just want Joomla to stop being the weak point in my networks security.


Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 2:09 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
Just looking briefly at com_contact, there are a number of issues with it. I've removed the files from my Mambo installations (I'm planning on upgrading to Joomla! in December) because I don't use it, and I can't have people sending random email from my system.

Here are the changes I'd suggest to com_contact (and if I wasn't swamped this month, I'd make them myself)

The "email myself" option needs to be checked when it's time to send email. Just relying on the value being returned correctly is dangerous (never, never trust data coming from the user). This is a nice door for spammers to send emails to whomever they want using your machine.
I think IP addresses should be logged and users not allowed to send email more than a few times every five minutes (perhaps that would be a configurable option).
We could think of implementing something like WP-Hashcash to ensure that the user is a real user (though that may be overkill).

I'm sure others would have some good ideas too.
If the spammer is coming from just a couple IP addresses, you could block them with .htaccess from your entire site. I'd suggest removing the com_contact folder if you don't need it.


Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 4:22 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 19, 2005 9:06 pm
Posts: 35
Can we add something to the form that will refuse to send it if various "banned" words are used - ie: if POKER was typed in by someone the form would be refused?

Can some developer have a look at this for us please. I am hearing more and more people complaining about Joomla forms being suspect. I have had my host warn me, so I have had to take any sort of contact form down!

Help!!
Dave


Top
 Profile  
 
PostPosted: Mon Nov 21, 2005 4:36 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
That would be possible, but would probably not provide as much protection as you'd like. If you've watch the ever-changing nature of spam, you'll notice that as soon as people try to look at specific words (like Poker) you'll get people being creative (P0ker or P*o*k*e*r), the possibilities seem to be endless.


Top
 Profile  
 
PostPosted: Wed Nov 30, 2005 12:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Nov 30, 2005 12:53 pm
Posts: 7
Anybody with ideas? I need a solution fast, because my provider wants to take my site offline!


Top
 Profile  
 
PostPosted: Wed Nov 30, 2005 1:26 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 11:03 pm
Posts: 1388
Location: San Jose, California
Going to look into this...

_________________
Joomla Platform Maintainer
A hacker does for love what others would not do for money.


Top
 Profile  
 
PostPosted: Wed Nov 30, 2005 1:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Nov 30, 2005 12:53 pm
Posts: 7
Thanks,

Hope you can come with something good. I'm in deep sh*t.

Have to add that my problem is with the sendenquiry form from Hot Property. But maybe I can just copy/paste the Contact Form solution to the HP form...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 69 posts ]  Go to page 1, 2, 3  Next



Who is online

Users browsing this forum: FAST WebCrawler [Crawler] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group