Page 1 of 2

SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 5:16 am
by wnedoe
Joomla 3.8.3 new setup latest all components current version.
#################################################


Since yesterday I see massive attacks of the contact component

Chinese servers are trying to post spam (without success) but i get hundreds of mail delivery errors


I have unpublished/deleted the contacts.
no improvement

I disabled the "send copy to sender" option - no improvement

Apache log still showed sucessful posts with status 303

Now I have unpublished the complete contact components.
Now i only see 404s


Can it be that the contact component has some kind of vulnerability?

one of hundreds of similar messages

###########################
Dieses ist eine Kopie der folgenden Nachricht, die an Contact Name Here via ************* gesendet wurde:

Dies ist eine Mailanfrage via https://www.************.info/ von:
左隗熊 <1325756028@qq.com>

太阳城今日注册领取28元现金: hxxp://www.xxxxxxxx.com/?
捕鱼达人竞技榜,周周有奖励,月月有回馈,最高获得88888元,1元起即享最高2.0%返水无上限。
------------------------------------------
你好!由于近期出现“非法假冒网站”劫持我司网址,请您认准【太阳城集团】官方域名,给您带来不便,敬请见谅!如您还打算了解其他劲爆活动,请您添加太阳城集团彩金专员QQ:414996884咨询申请开户彩金。



#####################

Apache logs (thousands from different IP addresses)

Before unpublishing the contact component:

2018-01-27 04:32:35 Error 59.34.201.204 404 GET /component/contact/contact/1 HTTP/1.0 https://www.++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) 3.49 K Apache SSL/TLS access
2018-01-27 04:32:35 Access 59.34.201.204 303 POST /component/contact/contact/1 HTTP/1.0 https://www.+++++++++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 665 Apache SSL/TLS access

After unpublishing the contact component

2018-01-27 04:47:54 Error 113.86.222.7 404 GET /component/contact/contact/1 HTTP/1.0 https://www.+++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) 3.49 K Apache SSL/TLS access
2018-01-27 04:47:54 Error 59.53.227.161 404 POST /component/contact/contact/1 HTTP/1.0 https://www.++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 3.40 K Apache SSL/TLS access
2018-01-27 04:47:55 Error 113.86.222.7 404 POST /component/contact/contact/1 HTTP/1.0

Re: SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 10:29 am
by fcoulter
It is not a vulnerability, just spam, unfortunately something that every site has to deal with at some point.

Try enabling recaptcha, you will need to get a key from Google, put it in the joomla recaptcha plugin, and enable it. Then select recaptcha as the default for your site in the global configuration.

If you don't need the contact form then disabling it as you have done is a good idea.

If you want to block them then you can use an extension such as admin tools pro which allows for geographical blocking.

Re: SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 12:33 pm
by wnedoe
Hi fcoulter

I have (now) enabled Rechaptcha with the site and sectret keys, it is default method, I have first unpublished and then deleted the contacts, and even before there were no links to the orphan contacts.

The spambot just posted to .../contact/contact/1 and even as there were no existing contacts(!!) anymore Joomla accepted the post.

Now it seems that after half a day of only of 404 responses the bot gave up.
I still get old Mail delivery errors.

Re: SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 12:52 pm
by fcoulter
To clarify, are you discussing the Joomla core contact component? And are you meaning that the spammers were able to submit contact records to your site.

If that is the case then it sounds like an issue with your site permissions. By default guest and registered users should not be able to submit contacts. You need to check the permissions for the contact component, go to components->contacts. click the options button, then the permissions tab. The permissions for the guest and registered groups should be set to 'not allowed'

Re: SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 2:14 pm
by wnedoe
1.) Yes i speak about the core component
2.) No. They just post spam to the component (in order to get the "copy to myself delivered to their recipient") which bounces back to me as admin. 2.500 mails so far.

It continued even after i deleted all (old existing) contacts which were existing on the system. They continued to POST.

Only unpublishing the component did help.

In my understanding it should not be possible to POST to contacts when there are ZERO contacts on the system.

regards
alex

Re: SPAM attack targeted to contact component

Posted: Sat Jan 27, 2018 2:30 pm
by fcoulter
If there are no contacts on the system the component just uses the default email address for the site, as you have discovered. I think that if that was changed it would break the contact form for sites where they didn't create a contact but want to have the form, there would suddenly be a lot of complaints along the lines of 'contact form not working', so it is unlikely to change.

So yes either disable the component or use recaptcha. I think that the undelivered mail messages are likely to continue for a few days, until they fail with a permanent error.

I understand your annoyance, it is a nuisance when it happens.

Re: SPAM attack targeted to contact component

Posted: Sat Feb 03, 2018 5:20 am
by ozfiddler
I've just had a similar issue recently. I used the team at MyJoomla.com to help me sort it out as I really had no idea what was going on. I had a single contact on the site, but no contact form showing. Enabling RECAPTCHA has now stopped the emails.

I was told they'd already had five similar jobs that night, so it was obviously an attack targeting that component.

Re: SPAM attack targeted to contact component

Posted: Sat Feb 03, 2018 8:04 am
by wnedoe
It is now fixed since I deactivated the contact component but I had 15.700! emails in the mailqueue.
So my tip: don't wait until mails stop to come but just delete the mail queue.

Re: SPAM attack targeted to contact component

Posted: Thu Apr 26, 2018 6:59 am
by PaulGee
Joomla 3.8.6 with latest up-to-date extensions
----------------------------------------------------------

For general information, I had a similar issue to wnedoe occur a few days ago over the weekend.
The mass spam attack was from Chinese servers abusing the Joomla core component com_contact.
In my instance there was NO FORM on the website. There was, however, a contact in the contacts.

I stopped the attack by disabling the com_contact component.

** Please not that my Joomla installation is intact and has no been compromised.

I was surprised by this attack as I thought at the time (I know better now) that a front facing form was required to instigate this form of attack.

I will now have to go through all my Joomla installations to disable com_contact to ensure that the other installations are not attacked in a similar manner.

As a side note, blocking IPs is not a proper solution to the issue ... it is only good for initially stopping the current attack vector.
Similarly geo-blocking is not that effective either as these spammers use geo-locations all over the world including USA, UK and Australia to instigate attacks.


It would be worthwhile for the Joomla development team to look at this issue of how these spam attacks are generated via the com_contact component without having a form present on a website to see whether anything could be done about this (as com_contact is enabled by default in Joomla installations).


What this type of attack means, is that many high profile Joomla installations are unknowingly susceptible to this form of attack.
Maybe a warning to all regarding the potential issue would be a good idea, so that individual developers can make a proper decision as to whether they should leave the com_contact component enabled or not.

Re: SPAM attack targeted to contact component

Posted: Thu Apr 26, 2018 7:39 am
by sozzled
@PaulGee: Many thanks for your story. I hope that novice readers using this forum appreciate some of the lessons of operating websites with unfettered access to any contact extension (whether it's the Joomla com_contact component or a third-party one).
PaulGee wrote:It would be worthwhile for the Joomla development team to look at this issue of how these spam attacks are generated via the com_contact component without having a form present on a website to see whether anything could be done about this (as com_contact is enabled by default in Joomla installations).
In one sense, it's true that the com_contact component is enabled by default on new Joomla installations but enablement of the component (of and by itself) is not the issue. Issues of misuse of the feature may arise when people add contacts; there's definitely more potential for misuse if the form is accessible by anyone.
PaulGee wrote:What this type of attack means, is that many high profile Joomla installations are unknowingly susceptible to this form of attack.
Hmmm ... I think that the more experienced among us are aware of the risks in running a website with a contact form that is publicly accessible. While I'm not going to debate the usefulness of contact forms—they can be useful in the right circumstances—there is a caveat: it's up to the site owner to determine if people—including 'bots—need to be properly credentialled before using (or abusing) the feature.

These unauthorised abuses of contacts are not limited to com_contact; foreign-based hackers also probe Joomla websites for the presence of com_b2jcontact and com_foxcontact (among others) for ways to exploit spam.

Where it is absolutely essential to use contact form, I restrict access to the contact form and contact information to registered users; this approach mitigates the level of spam mail significantly. Most of the time the contact feature is a waste of time but that's just my personal opinion.

Re: SPAM attack targeted to contact component

Posted: Thu Apr 26, 2018 10:13 am
by brian
(can you please stop referring to foreign-based hackers - its discriminatory and offensive)

Re: SPAM attack targeted to contact component

Posted: Thu Apr 26, 2018 11:04 am
by sozzled
brian wrote:(can you please stop referring to foreign-based hackers - its discriminatory and offensive)
The OP identified the source of the spam attacks as foreign-based; @PaulGee also experienced the source of spam email originating from foreign-based sources. I don't understand your outrage—real or confected—over "foreign-based hackers" as discriminatory or offensive terminology. If it's offensive to you, Brian, then take a passage from your own script (when you recently criticised my comments about J! 1.5): you can also ignore posts involving content that you find to disagreeable. OK? :pop

From my own experience, less than 1% of all spam mail that I've received from the use of the contact form has originated within coo-ee of the Australian continent. If that's not "foreign-based" then I don't know how better one could describe it.

Perhaps "offshore hacking" would be more palatable to @brian?

Re: SPAM attack targeted to contact component

Posted: Sun May 20, 2018 6:07 am
by Brother Bob
Hello

I have had the same problem as the op and initially went down a similar route:

First I disabled the "send copy to sender" option which didn't work
Then I also unpublished the com_contact linked menu item, again — didn't work

Like the op, a default contact form with "send copy to sender" was still accessible via '/component/contact/contact/1*' (where * can be practically any combination of letters)

For anyone else unfortunate enough to be experiencing a similar attack, "send copy to sender" needs to be disabled in the global settings (I had, at first only disabled this in the actual contact) and (if still required) the component disabled, not simply unpublished. I agree that blocking, by IP or even ASN, is not an ideal solution but I noticed all my requests came with a single referrer and it is easy enough to block by this in htaccess to save on server resources.

OK, perhaps this is not a full-on vulnerability, but it is less than intuitive for a novice that unpublishing the contact linked menu item(s) still leaves a side-door open to the contact form...

Re: SPAM attack targeted to contact component

Posted: Wed Jul 04, 2018 9:13 am
by dROb
Hello guys!

I am also experiencing the continuous flood of the spam messages through "Send a copy to myself" on my website. I tried to disable this possibility, but it does not work, it just hides the according Tick, but the function still works for Spam Bots
I still seriously need a com_contact for my users, so I can not just disable it.
I thought this will be fixed in the Joomla updates, but it did not happened.

Any advises? I am thinking of digging inside the code, finding this functionality, and killing this manually. But this is not easy for me, and this disables updates functional..

Re: SPAM attack targeted to contact component

Posted: Wed Jul 04, 2018 9:19 am
by brian
I can not confirm that disabling the send a copy functionality simply hides the tick

Re: SPAM attack targeted to contact component

Posted: Wed Jul 04, 2018 10:29 am
by dROb
brian wrote:I can not confirm that disabling the send a copy functionality simply hides the tick
I think you're right now. I checked the code, and it will send Copy of message only if "$params [show_email_copy] " is true.

So, looks like half of my problem is solved. Spam is not going to another recipients, just to me, as the site admin.

But I still receive the spam messages. Best recommendations? Captcha?

Re: SPAM attack targeted to contact component

Posted: Wed Jul 04, 2018 11:16 am
by brian
Yes of course you should use the recaptcha that joomla ships with

Re: SPAM attack targeted to contact component

Posted: Sat Sep 15, 2018 1:44 pm
by RonaldTux
Well, Joomla 3.8.11 website.
No contact form.
One contact created (maybe by an admin)
Apache log: 196.19.11.6 - - [15/Sep/2018:15:38:28 +0200] "POST /index.php?option=com_contact&view=contact&id=1 HTTP/1.1" 404 1748 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

And mail is send.
A clean site. Fresh install. (to addresses by choice and content by choice according the mailqueue)

The problem with this is, regardless how the com_contact has to be used, is that spam is sent on a fresh default joomla site when a contact is created.

I have never needed contact, nor do i know why it is a thing in a CMS... but it bothers me that is can be abused so easily . And Chaptcha should not be the solution. IMHO: this is a leak/bug

So i'm not talking about a contact form. Just a plain site where an admin created a contact.

Re: SPAM attack targeted to contact component

Posted: Sun Sep 16, 2018 7:00 am
by PaulGee
@RonaldTux

Spammers have been targeting Joomla websites with the Component "Contacts" enabled.
They are able to send spam without the website having a front facing contact form (vis no contact form on the website).

All that is required to instigate the attack is to have a contact in the "Contacts" component.

The spammers can also send spam mail regardless of whether "Send a copy to myself" is ticked or not ticked in the event of a contact form being present on the website.

Once targeted, unchecking the "Send a copy to myself" (if contact form is present) will not stop the spam.
Once targeted, adding reCaptcha (if contact form is present) will not stop the spam.
Once targeted, unpublishing the contact form (if present) will not stop the spam.
As stated above, the website doesn't need to have a contact form to be targeted!

Unfortunately, once you have been targeted by the spammers, disabling the "Contacts" component is the easiest and quickest way to stop the attacks.

If the attacks are from a single or a handful of IPs, blocking the IPs also works temporarily.
In the cases I have experienced the attacks are instigated from hundreds and sometimes thousands of IPs which makes it cumbersome to block.
Blocking of IPs does not resolve the issue ... rather it stops that attacker from using those IPs to launch their attacks. The same spammer can come back using alternate IPs.

If you don't require a contact form for your website, simply disable the Component "Contacts" via:
Joomla Control Panel >> Extensions >> Manage >> Manage >> "search for Contacts" >> "disable Contacts (type Component).

If you do require a contact form for your website, I would suggest getting one from one of the "forms" extension providers on the JED and using reCaptcha with that form.


For your information with respect to the spam activity, it doesn't matter whether the site is new or old.
It is the luck of the draw, as the spammers are continuously testing/looking to exploit Joomla sites (and other CMS sites) to send spam.

Looking through the forums spam email attacks are not isolated issues.
Many Joomla Users think that they have been hacked when faced with spam issues (which may be true in cases).
My view is that in some/possibly many cases they have been exploited rather than hacked.


There are many Joomla Users that would not be aware that their websites could be spammed simply by having Component "Contacts" enabled (this component is enabled by default) and having a contact in the "Contacts" component (without a contact form being present on the website).

I have previously suggested that an alert/message be sent to Joomla users advising of the same.
Possibly another way of dealing with the issue would be to have the "Contacts" component disabled by default (additionally appropriate warning/alert messages could be made to pop up advising of the issues mentioned when a User tries to enable the Contacts component).

Re: SPAM attack targeted to contact component

Posted: Sun Sep 16, 2018 7:55 am
by effrit
Disabling contacts component by default look reasonable. This component not needed in mostly sites.

Re: SPAM attack targeted to contact component

Posted: Mon Sep 17, 2018 8:12 pm
by Tiabo
The issue is that disabling a componen should be done by an administrator, and the login is also disabled at the backend.

Re: SPAM attack targeted to contact component

Posted: Mon Apr 01, 2019 1:54 pm
by PhilippB
Thank you very much for all your informations!

I had a lot spam replyes since mid february but could not figure out where it came from. Last weekend IONOS (1und1) locked my Joomla-Website. Edit: The subject always started with "Kopie von:" (german version of joomla)

I never used the contacts and use another contact form. After deactivationg all "kontakt" -things under Plugins (german version) and clearing the cache it stoped the same minute! I noticed 2 standard contacts "Jane Q. Public" with email-adress email@0.0.0.0 and made them invisible

I vote for leaving contakt components deaktivated on default, or maybe bulid in some blockage (1. Are there contacts?, 2. is the email of the contact valid? 3. is this a default contact?)

Re: SPAM attack targeted to contact component

Posted: Fri Jun 07, 2019 4:14 pm
by GregoryOConnor
I see what the spammers are attempting here. If you have 'send message to sender' on any contact component enabled, ; the spammer enters someone else's email in the field where a sender is requested to 'enter your email' . result is :some innocent recipient (whoever the spammer entered as sender) gets an email delivered from your web site with the contents the spammer wishes to promote. captcha here will not protect a human spammer or spam team.

Re: SPAM attack targeted to contact component

Posted: Sat Jul 06, 2019 2:05 am
by bugstomper
If the spambots are searching for sites that respond to a index.php/component/contact/contact/1 URL with a form, it seems that a simple workaround is to make the first contact (showing ID 1 on the contact list page) be unpublished, and only actually use the other contact entries. I verified that if the contact with ID=1 is unpublished, the URL index.php/component/contact/contact/1 results in a 404 instead of a form. If you are really paranoid about spambots trying out numbers 2, 3, ... before giving up, add more contacts to your list and make more than just the first a fake that you don't publish. Realistically, spambots are probably searching the web for responses to specific known vulnerable URLs and have no reason to be written to check for more than that one common one. And remember to disable "send message to sender", as that is just an invitation for spammers to cause your web server to send their spam to arbitrary addresses.

Suggestion for SPAM attack targeted to contact component

Posted: Sun Jul 07, 2019 1:52 am
by bugstomper
After reading the thread 958667 in this forum "SPAM attack targeted to contact component" it occurs to me that there is could be a simple fix for this attack. The attack is based on the fact that the link index.php/component/contact/contact/1 can be used to find any Joomla site that has at least one contact in the contact list with the first contact in the list published, and use the form on the returned page to cause the server to send spam. A partial workaround for a site that requires contacts is to make the first contact in the list a dummy one and don't publish. But that would still be open for a more sophisticated attack that checks URLs using higher numbers than 1.

Since the form page is only supposed to be accessed via a Contact type menu link, wouldn't it be possible to make the contact component require that it be accessed from the menu link? I suppose that using referer would be a simple but easily hacked way to do it. My question for someone more knowledgeable of the internals of Joomla is:

Is there already a standard way to make use of something like a session key or other token to secure the contact component so that it can only work when referenced by clicking on the menu item for it?

If there is, I would like to suggest that as an easy security enhancement for an increasing problem. There seem to be increasing numbers of bots that search for the proper response to index.php/component/contact/contact/1 URL and automate the sending of spam through the servers they find.

Re: Suggestion for SPAM attack targeted to contact component

Posted: Sun Jul 07, 2019 9:20 am
by Per Yngve Berg
Have you enabled Capthcha? The new Invisible Captcha Plugin is great.

You can deny /components/contact in the .htaccess file.

Re: Suggestion for SPAM attack targeted to contact component

Posted: Sun Jul 07, 2019 8:45 pm
by bugstomper
Per Yngve Berg wrote:
Sun Jul 07, 2019 9:20 am
You can deny /components/contact in the .htaccess file.
Does the link in the menu item accomplish its task without having to go through the /components/contact/contact/1 URL? If that is the case then blocking in the .htaccess would be an easy workaround, but if that is so then why should index.php/components/contact/contact/1 work at all when all it can be used for is attacks by spammers?

Re: SPAM attack targeted to contact component

Posted: Sun Jul 07, 2019 9:32 pm
by Per Yngve Berg
A Menu Item will have it's alias as SEF URL. It will be translated to a non-sef url (index.php?option=com_contact&id=1&Itemid=6)

index.php/components/contact/contact/1 is the SEF URL without rewrite.

Re: Suggestion for SPAM attack targeted to contact component

Posted: Wed Jun 24, 2020 6:06 pm
by FastPat27
Per Yngve Berg wrote:
Sun Jul 07, 2019 9:20 am
Have you enabled Capthcha? The new Invisible Captcha Plugin is great.
Hi Per

Big Spam issues recently and just came across this post, amazed that it could have been this component all along. My coding skills are minimal and usually stick to defaults so I wouldn't have known to disable anything. As they attacked several sites I have created, I also thought it was maybe a server hack so had the server guys scanning for scripts etc. I deleted the one contact listed so far today and it seems to have fixed the issue on one of my sites but maybe only a temporary fix if the spammers can still abuse it even without contacts listed; I'll disable the contacts component now to be a bit more secure going forward.

Anyway, the Invisible Captcha plugin, is it still a great part of a joomla website? Is this the built in one or do you refer to the google one? Perhaps one is as good as the other? I will research the built in one next but if you or anyone has any advice or links on this it would be good to learn from.

Thanks
FP

Re: SPAM attack targeted to contact component

Posted: Wed Jun 24, 2020 6:19 pm
by Per Yngve Berg
I use this now. It does not need any keys from Google or are visible on the site.

https://extensions.joomla.org/extension/hashcash/

You should also disable the "Send Copy to Me" option.