SPAM attack targeted to contact component

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
wnedoe
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Dec 11, 2006 9:14 am

SPAM attack targeted to contact component

Post by wnedoe » Sat Jan 27, 2018 5:16 am

Joomla 3.8.3 new setup latest all components current version.
#################################################


Since yesterday I see massive attacks of the contact component

Chinese servers are trying to post spam (without success) but i get hundreds of mail delivery errors


I have unpublished/deleted the contacts.
no improvement

I disabled the "send copy to sender" option - no improvement

Apache log still showed sucessful posts with status 303

Now I have unpublished the complete contact components.
Now i only see 404s


Can it be that the contact component has some kind of vulnerability?

one of hundreds of similar messages

###########################
Dieses ist eine Kopie der folgenden Nachricht, die an Contact Name Here via ************* gesendet wurde:

Dies ist eine Mailanfrage via https://www.************.info/ von:
左隗熊 <1325756028@qq.com>

太阳城今日注册领取28元现金: hxxp://www.xxxxxxxx.com/?
捕鱼达人竞技榜,周周有奖励,月月有回馈,最高获得88888元,1元起即享最高2.0%返水无上限。
------------------------------------------
你好!由于近期出现“非法假冒网站”劫持我司网址,请您认准【太阳城集团】官方域名,给您带来不便,敬请见谅!如您还打算了解其他劲爆活动,请您添加太阳城集团彩金专员QQ:414996884咨询申请开户彩金。



#####################

Apache logs (thousands from different IP addresses)

Before unpublishing the contact component:

2018-01-27 04:32:35 Error 59.34.201.204 404 GET /component/contact/contact/1 HTTP/1.0 https://www.++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) 3.49 K Apache SSL/TLS access
2018-01-27 04:32:35 Access 59.34.201.204 303 POST /component/contact/contact/1 HTTP/1.0 https://www.+++++++++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 665 Apache SSL/TLS access

After unpublishing the contact component

2018-01-27 04:47:54 Error 113.86.222.7 404 GET /component/contact/contact/1 HTTP/1.0 https://www.+++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) 3.49 K Apache SSL/TLS access
2018-01-27 04:47:54 Error 59.53.227.161 404 POST /component/contact/contact/1 HTTP/1.0 https://www.++++++++++.info/component/contact/contact/1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 3.40 K Apache SSL/TLS access
2018-01-27 04:47:55 Error 113.86.222.7 404 POST /component/contact/contact/1 HTTP/1.0

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: SPAM attack targeted to contact component

Post by fcoulter » Sat Jan 27, 2018 10:29 am

It is not a vulnerability, just spam, unfortunately something that every site has to deal with at some point.

Try enabling recaptcha, you will need to get a key from Google, put it in the joomla recaptcha plugin, and enable it. Then select recaptcha as the default for your site in the global configuration.

If you don't need the contact form then disabling it as you have done is a good idea.

If you want to block them then you can use an extension such as admin tools pro which allows for geographical blocking.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

wnedoe
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Dec 11, 2006 9:14 am

Re: SPAM attack targeted to contact component

Post by wnedoe » Sat Jan 27, 2018 12:33 pm

Hi fcoulter

I have (now) enabled Rechaptcha with the site and sectret keys, it is default method, I have first unpublished and then deleted the contacts, and even before there were no links to the orphan contacts.

The spambot just posted to .../contact/contact/1 and even as there were no existing contacts(!!) anymore Joomla accepted the post.

Now it seems that after half a day of only of 404 responses the bot gave up.
I still get old Mail delivery errors.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: SPAM attack targeted to contact component

Post by fcoulter » Sat Jan 27, 2018 12:52 pm

To clarify, are you discussing the Joomla core contact component? And are you meaning that the spammers were able to submit contact records to your site.

If that is the case then it sounds like an issue with your site permissions. By default guest and registered users should not be able to submit contacts. You need to check the permissions for the contact component, go to components->contacts. click the options button, then the permissions tab. The permissions for the guest and registered groups should be set to 'not allowed'
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

wnedoe
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Dec 11, 2006 9:14 am

Re: SPAM attack targeted to contact component

Post by wnedoe » Sat Jan 27, 2018 2:14 pm

1.) Yes i speak about the core component
2.) No. They just post spam to the component (in order to get the "copy to myself delivered to their recipient") which bounces back to me as admin. 2.500 mails so far.

It continued even after i deleted all (old existing) contacts which were existing on the system. They continued to POST.

Only unpublishing the component did help.

In my understanding it should not be possible to POST to contacts when there are ZERO contacts on the system.

regards
alex

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: SPAM attack targeted to contact component

Post by fcoulter » Sat Jan 27, 2018 2:30 pm

If there are no contacts on the system the component just uses the default email address for the site, as you have discovered. I think that if that was changed it would break the contact form for sites where they didn't create a contact but want to have the form, there would suddenly be a lot of complaints along the lines of 'contact form not working', so it is unlikely to change.

So yes either disable the component or use recaptcha. I think that the undelivered mail messages are likely to continue for a few days, until they fail with a permanent error.

I understand your annoyance, it is a nuisance when it happens.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

ozfiddler
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Feb 15, 2015 8:41 pm

Re: SPAM attack targeted to contact component

Post by ozfiddler » Sat Feb 03, 2018 5:20 am

I've just had a similar issue recently. I used the team at MyJoomla.com to help me sort it out as I really had no idea what was going on. I had a single contact on the site, but no contact form showing. Enabling RECAPTCHA has now stopped the emails.

I was told they'd already had five similar jobs that night, so it was obviously an attack targeting that component.

wnedoe
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Dec 11, 2006 9:14 am

Re: SPAM attack targeted to contact component

Post by wnedoe » Sat Feb 03, 2018 8:04 am

It is now fixed since I deactivated the contact component but I had 15.700! emails in the mailqueue.
So my tip: don't wait until mails stop to come but just delete the mail queue.

PaulGee
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Mar 21, 2011 3:46 am
Location: Australia

Re: SPAM attack targeted to contact component

Post by PaulGee » Thu Apr 26, 2018 6:59 am

Joomla 3.8.6 with latest up-to-date extensions
----------------------------------------------------------

For general information, I had a similar issue to wnedoe occur a few days ago over the weekend.
The mass spam attack was from Chinese servers abusing the Joomla core component com_contact.
In my instance there was NO FORM on the website. There was, however, a contact in the contacts.

I stopped the attack by disabling the com_contact component.

** Please not that my Joomla installation is intact and has no been compromised.

I was surprised by this attack as I thought at the time (I know better now) that a front facing form was required to instigate this form of attack.

I will now have to go through all my Joomla installations to disable com_contact to ensure that the other installations are not attacked in a similar manner.

As a side note, blocking IPs is not a proper solution to the issue ... it is only good for initially stopping the current attack vector.
Similarly geo-blocking is not that effective either as these spammers use geo-locations all over the world including USA, UK and Australia to instigate attacks.


It would be worthwhile for the Joomla development team to look at this issue of how these spam attacks are generated via the com_contact component without having a form present on a website to see whether anything could be done about this (as com_contact is enabled by default in Joomla installations).


What this type of attack means, is that many high profile Joomla installations are unknowingly susceptible to this form of attack.
Maybe a warning to all regarding the potential issue would be a good idea, so that individual developers can make a proper decision as to whether they should leave the com_contact component enabled or not.

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5824
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: SPAM attack targeted to contact component

Post by sozzled » Thu Apr 26, 2018 7:39 am

@PaulGee: Many thanks for your story. I hope that novice readers using this forum appreciate some of the lessons of operating websites with unfettered access to any contact extension (whether it's the Joomla com_contact component or a third-party one).
PaulGee wrote:It would be worthwhile for the Joomla development team to look at this issue of how these spam attacks are generated via the com_contact component without having a form present on a website to see whether anything could be done about this (as com_contact is enabled by default in Joomla installations).
In one sense, it's true that the com_contact component is enabled by default on new Joomla installations but enablement of the component (of and by itself) is not the issue. Issues of misuse of the feature may arise when people add contacts; there's definitely more potential for misuse if the form is accessible by anyone.
PaulGee wrote:What this type of attack means, is that many high profile Joomla installations are unknowingly susceptible to this form of attack.
Hmmm ... I think that the more experienced among us are aware of the risks in running a website with a contact form that is publicly accessible. While I'm not going to debate the usefulness of contact forms—they can be useful in the right circumstances—there is a caveat: it's up to the site owner to determine if people—including 'bots—need to be properly credentialled before using (or abusing) the feature.

These unauthorised abuses of contacts are not limited to com_contact; foreign-based hackers also probe Joomla websites for the presence of com_b2jcontact and com_foxcontact (among others) for ways to exploit spam.

Where it is absolutely essential to use contact form, I restrict access to the contact form and contact information to registered users; this approach mitigates the level of spam mail significantly. Most of the time the contact feature is a waste of time but that's just my personal opinion.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11724
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: SPAM attack targeted to contact component

Post by brian » Thu Apr 26, 2018 10:13 am

(can you please stop referring to foreign-based hackers - its discriminatory and offensive)
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5824
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: SPAM attack targeted to contact component

Post by sozzled » Thu Apr 26, 2018 11:04 am

brian wrote:(can you please stop referring to foreign-based hackers - its discriminatory and offensive)
The OP identified the source of the spam attacks as foreign-based; @PaulGee also experienced the source of spam email originating from foreign-based sources. I don't understand your outrage—real or confected—over "foreign-based hackers" as discriminatory or offensive terminology. If it's offensive to you, Brian, then take a passage from your own script (when you recently criticised my comments about J! 1.5): you can also ignore posts involving content that you find to disagreeable. OK? :pop

From my own experience, less than 1% of all spam mail that I've received from the use of the contact form has originated within coo-ee of the Australian continent. If that's not "foreign-based" then I don't know how better one could describe it.

Perhaps "offshore hacking" would be more palatable to @brian?
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

Brother Bob
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun May 20, 2018 6:02 am

Re: SPAM attack targeted to contact component

Post by Brother Bob » Sun May 20, 2018 6:07 am

Hello

I have had the same problem as the op and initially went down a similar route:

First I disabled the "send copy to sender" option which didn't work
Then I also unpublished the com_contact linked menu item, again — didn't work

Like the op, a default contact form with "send copy to sender" was still accessible via '/component/contact/contact/1*' (where * can be practically any combination of letters)

For anyone else unfortunate enough to be experiencing a similar attack, "send copy to sender" needs to be disabled in the global settings (I had, at first only disabled this in the actual contact) and (if still required) the component disabled, not simply unpublished. I agree that blocking, by IP or even ASN, is not an ideal solution but I noticed all my requests came with a single referrer and it is easy enough to block by this in htaccess to save on server resources.

OK, perhaps this is not a full-on vulnerability, but it is less than intuitive for a novice that unpublishing the contact linked menu item(s) still leaves a side-door open to the contact form...

dROb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Jul 04, 2018 9:03 am

Re: SPAM attack targeted to contact component

Post by dROb » Wed Jul 04, 2018 9:13 am

Hello guys!

I am also experiencing the continuous flood of the spam messages through "Send a copy to myself" on my website. I tried to disable this possibility, but it does not work, it just hides the according Tick, but the function still works for Spam Bots
I still seriously need a com_contact for my users, so I can not just disable it.
I thought this will be fixed in the Joomla updates, but it did not happened.

Any advises? I am thinking of digging inside the code, finding this functionality, and killing this manually. But this is not easy for me, and this disables updates functional..

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11724
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: SPAM attack targeted to contact component

Post by brian » Wed Jul 04, 2018 9:19 am

I can not confirm that disabling the send a copy functionality simply hides the tick
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dROb
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Jul 04, 2018 9:03 am

Re: SPAM attack targeted to contact component

Post by dROb » Wed Jul 04, 2018 10:29 am

brian wrote:I can not confirm that disabling the send a copy functionality simply hides the tick
I think you're right now. I checked the code, and it will send Copy of message only if "$params [show_email_copy] " is true.

So, looks like half of my problem is solved. Spam is not going to another recipients, just to me, as the site admin.

But I still receive the spam messages. Best recommendations? Captcha?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11724
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: SPAM attack targeted to contact component

Post by brian » Wed Jul 04, 2018 11:16 am

Yes of course you should use the recaptcha that joomla ships with
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

RonaldTux
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Sep 15, 2018 1:35 pm

Re: SPAM attack targeted to contact component

Post by RonaldTux » Sat Sep 15, 2018 1:44 pm

Well, Joomla 3.8.11 website.
No contact form.
One contact created (maybe by an admin)
Apache log: 196.19.11.6 - - [15/Sep/2018:15:38:28 +0200] "POST /index.php?option=com_contact&view=contact&id=1 HTTP/1.1" 404 1748 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

And mail is send.
A clean site. Fresh install. (to addresses by choice and content by choice according the mailqueue)

The problem with this is, regardless how the com_contact has to be used, is that spam is sent on a fresh default joomla site when a contact is created.

I have never needed contact, nor do i know why it is a thing in a CMS... but it bothers me that is can be abused so easily . And Chaptcha should not be the solution. IMHO: this is a leak/bug

So i'm not talking about a contact form. Just a plain site where an admin created a contact.

PaulGee
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Mar 21, 2011 3:46 am
Location: Australia

Re: SPAM attack targeted to contact component

Post by PaulGee » Sun Sep 16, 2018 7:00 am

@RonaldTux

Spammers have been targeting Joomla websites with the Component "Contacts" enabled.
They are able to send spam without the website having a front facing contact form (vis no contact form on the website).

All that is required to instigate the attack is to have a contact in the "Contacts" component.

The spammers can also send spam mail regardless of whether "Send a copy to myself" is ticked or not ticked in the event of a contact form being present on the website.

Once targeted, unchecking the "Send a copy to myself" (if contact form is present) will not stop the spam.
Once targeted, adding reCaptcha (if contact form is present) will not stop the spam.
Once targeted, unpublishing the contact form (if present) will not stop the spam.
As stated above, the website doesn't need to have a contact form to be targeted!

Unfortunately, once you have been targeted by the spammers, disabling the "Contacts" component is the easiest and quickest way to stop the attacks.

If the attacks are from a single or a handful of IPs, blocking the IPs also works temporarily.
In the cases I have experienced the attacks are instigated from hundreds and sometimes thousands of IPs which makes it cumbersome to block.
Blocking of IPs does not resolve the issue ... rather it stops that attacker from using those IPs to launch their attacks. The same spammer can come back using alternate IPs.

If you don't require a contact form for your website, simply disable the Component "Contacts" via:
Joomla Control Panel >> Extensions >> Manage >> Manage >> "search for Contacts" >> "disable Contacts (type Component).

If you do require a contact form for your website, I would suggest getting one from one of the "forms" extension providers on the JED and using reCaptcha with that form.


For your information with respect to the spam activity, it doesn't matter whether the site is new or old.
It is the luck of the draw, as the spammers are continuously testing/looking to exploit Joomla sites (and other CMS sites) to send spam.

Looking through the forums spam email attacks are not isolated issues.
Many Joomla Users think that they have been hacked when faced with spam issues (which may be true in cases).
My view is that in some/possibly many cases they have been exploited rather than hacked.


There are many Joomla Users that would not be aware that their websites could be spammed simply by having Component "Contacts" enabled (this component is enabled by default) and having a contact in the "Contacts" component (without a contact form being present on the website).

I have previously suggested that an alert/message be sent to Joomla users advising of the same.
Possibly another way of dealing with the issue would be to have the "Contacts" component disabled by default (additionally appropriate warning/alert messages could be made to pop up advising of the issues mentioned when a User tries to enable the Contacts component).

User avatar
effrit
Joomla! Guru
Joomla! Guru
Posts: 846
Joined: Sun Nov 12, 2017 2:21 pm
Location: middle of Russia
Contact:

Re: SPAM attack targeted to contact component

Post by effrit » Sun Sep 16, 2018 7:55 am

Disabling contacts component by default look reasonable. This component not needed in mostly sites.

Tiabo
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 20, 2012 9:47 pm

Re: SPAM attack targeted to contact component

Post by Tiabo » Mon Sep 17, 2018 8:12 pm

The issue is that disabling a componen should be done by an administrator, and the login is also disabled at the backend.


Post Reply

Return to “Security in Joomla! 3.x”