SPAM attack targeted to contact component

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9885
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Suggestion for SPAM attack targeted to contact component

Post by sozzled » Wed Jun 24, 2020 8:32 pm

FastPat27 wrote:
Wed Jun 24, 2020 6:06 pm
Is the ["invisible CAPTCHA" plugin] still a great part of a Joomla website?
Leaving aside the debate about alternatives to CAPTCHA as a mechanism to safeguard against abuses by using the Contacts component, the answer to your question is yes. The "invisible CAPTCHA" plugin is known by it's formal name as CAPTCHA - Invisible reCAPTCHA which is disabled by default.

The other advice I would offer is
sozzled wrote:
Thu Apr 26, 2018 7:39 am
I think that the more experienced among us are aware of the risks in running a website with a contact form that is publicly accessible. While I'm not going to debate the usefulness of contact forms—they can be useful in the right circumstances—there is a caveat: it's up to the site owner to determine if people—including 'bots—need to be properly credentialled before using (or abusing) the feature.

These unauthorised abuses of contacts are not limited to com_contact; foreign-based hackers also probe Joomla websites for the presence of com_b2jcontact and com_foxcontact (among others) for ways to exploit spam.

Where it is absolutely essential to use contact form, I restrict access to the contact form and contact information to registered users; this approach mitigates the level of spam mail significantly. Most of the time the contact feature is a waste of time but that's just my personal opinion.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

FastPat27
Joomla! Apprentice
Joomla! Apprentice
Posts: 46
Joined: Mon Oct 01, 2012 2:46 am
Location: UK

Re: SPAM attack targeted to contact component

Post by FastPat27 » Wed Jun 24, 2020 9:54 pm

Thanks Per

I'll check out the extension soon but looks good.

Do I still need to disable "Send Me a Copy" if the contact component is disabled? Not a difficult thing to do but just another tick box in the security checklist.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9885
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: SPAM attack targeted to contact component

Post by sozzled » Wed Jun 24, 2020 9:58 pm

FastPat27 wrote:
Wed Jun 24, 2020 9:54 pm
Do I still need to disable "Send Me a Copy" if the contact component is disabled? Not a difficult thing to do but just another tick box in the security checklist.
You don't necessarily need to disable this feature but, by the same token, the feature is often used by spam merchants to flood your email with junk when they hijack the contacts component for their own purposes. ;)

Knowing that "send me a copy" is often used to send spam email, it's your choice whether you keep this feature intact or disable it. :)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11978
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: SPAM attack targeted to contact component

Post by brian » Wed Jun 24, 2020 10:33 pm

If the component is disabled then thats enough as the "send me a copy" option is part of the component
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

FastPat27
Joomla! Apprentice
Joomla! Apprentice
Posts: 46
Joined: Mon Oct 01, 2012 2:46 am
Location: UK

Re: SPAM attack targeted to contact component

Post by FastPat27 » Wed Jun 24, 2020 10:49 pm

brian wrote:
Wed Jun 24, 2020 10:33 pm
If the component is disabled then thats enough as the "send me a copy" option is part of the component
Thank you Brian, I was thinking that but wasn't sure.

User avatar
dattard
Joomla! Ace
Joomla! Ace
Posts: 1035
Joined: Tue Apr 11, 2006 7:29 pm
Contact:

Re: SPAM attack targeted to contact component

Post by dattard » Sun Jul 26, 2020 12:54 pm

I'm going to have to raise this thread from the dead, in the hope that this gets more priority.

These is an Open and Closed issue about this on the Joomla Github here: https://github.com/joomla/joomla-cms/issues/20865

I'd like to make the point once again, that if a standard component has a way that can be abused to send SPAM (not to the owner of the site via the contact form, but to 3rd parties), then this is an exploit that needs to be closed at Joomla level.

This is irrespective of whether you enable ReCaptcha or not - by enabling ReCaptcha, I'm simply making it more difficult for bots to access the site, rather than closing this exploit.

As I understand it, if I know the URL I need to target, then the site will keep getting exploited and the only fix is to disable the Joomla contact page and install a different contact form extension.

If that isn't an exploit, I don't know what is.

EDIT: One of my Joomla sites was hit by this and I couldn't figure out why, because the site wasn't compromised, so I had to dig quite deeply to uncover this.
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 27314
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: SPAM attack targeted to contact component

Post by Per Yngve Berg » Sun Jul 26, 2020 1:32 pm

Make sure these two options are set correctly.

Send Copy to Submitter=Off
Session Check=Yes

BobShawAU
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Sep 23, 2020 1:59 am

Re: SPAM attack targeted to contact component

Post by BobShawAU » Wed Sep 23, 2020 2:12 am

I just discovered that a registered User can create a Contact even if they not activated. They can then use this contact to send spam. This seems like big security hole. If you are using a contact form that has Captcha then they can bypass that. I just disabled the Plugin "User - Contact Creator" which creates a new contact every time a user is created.

The other thing is to ensure you are using V3 of Captcha. A robot can do V2. The old Captcha recaptcha plugin seems obsolete. I replaced it with "Captcha - Custom reCaptcha"

I have bug in my installation that does not show Contacts in the Components menu. I am hoping to fix that in the next update. bob

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9885
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: SPAM attack targeted to contact component

Post by sozzled » Wed Sep 23, 2020 9:32 am

BobShawAU wrote:
Wed Sep 23, 2020 2:12 am
I have bug in my installation that does not show Contacts in the Components menu. I am hoping to fix that in the next update.
A little off-topic, perhaps, but see here for the solution: viewtopic.php?f=708&t=982115#p3614377
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)


Post Reply

Return to “Administration Joomla! 3.x”