Little spam using class.phpmailer.php Topic is solved

[danjde]

Hi Friends,
my site, Joomla 3.8.10, send about two emails every week from yandex.ru domain or Russian country.
The emails start using "/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php".

Code: Select all

[05-Aug-2018 14:16:03 Europe/Berlin] mail() on [/var/www/mysite.net/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: [email protected] -- Headers: Date: Sun, 5 Aug 2018 14:16:03 +0200 From: HORSE <[email protected]> Reply-To: sommemires <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit

I've enabled the "PHP mail.log directive" but I can only see that spam start using "class.phpmailer.php".
How I could identify the responsible script?
Or eventually, block the sending by domain?


Many many thanks!

Davide

[toivo]

Please post the output from the Forum Post Assistant (FPA), run at your Joomla site, by following the instructions at viewtopic.php?f=714&t=793531

[danjde]

Thanks @toivo, here the output:

Little spam using class.phpmailer.php

Joomla! Instance :: Joomla! 3.8.10-Stable (Amani) 26-June-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | CacheTime: 30 | CacheHandler: memcache | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 60 | Session handler: database | Shared sessions: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 1 | dbConnection Type: mysql | PHP Supports J! 3.8.10: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 234.40 GiB |

PHP Configuration :: Version: 5.6.33-0+deb8u1 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 128M

Database Configuration :: Version: 5.5.59-0+deb8u1-log (Client:5.5.59) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 15.25 MiB | #of Tables: 143

PHP Extensions :: Core (5.6.33-0+deb8u1) | date (5.6.33-0+deb8u1) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | mbstring () | session () | posix () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | standard (5.6.33-0+deb8u1) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.2) | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.12.5) | apache2handler () | PDO (1.0.4dev) | apcu (4.0.7) | curl () | gd () | intl (1.1.0) | json (1.3.6) | mcrypt () | memcache (3.0.8) | memcached (2.2.0) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | pspell () | readline (5.6.33-0+deb8u1) | sqlite3 (0.7-dev) | tidy (2.0) | mhash () | apc (4.0.7) | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions ::
Disabled Functions :: pcntl_alarm | pcntl_fork | pcntl_waitpid | pcntl_wait | pcntl_wifexited | pcntl_wifstopped | pcntl_wifsignaled | pcntl_wexitstatus | pcntl_wtermsig | pcntl_wstopsig | pcntl_signal | pcntl_signal_dispatch | pcntl_get_last_error | pcntl_strerror | pcntl_sigprocmask | pcntl_sigwaitinfo | pcntl_sigtimedwait | pcntl_exec | pcntl_getpriority | pcntl_setpriority | |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_so | mod_watchdog | http_core | mod_log_config | mod_logio | mod_version | mod_unixd | mod_access_compat | mod_alias | mod_auth_basic | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_deflate | mod_dir | mod_env | mod_expires | mod_ext_filter | mod_file_cache | mod_filter | mod_headers | mod_mime | prefork | mod_negotiation | mod_php5 | mod_proxy | mod_reqtimeout | mod_rewrite | mod_security2 | mod_setenvif | mod_socache_shmcb | mod_ssl | mod_status | mod_unique_id | Apache/2.4.10 (Debian) |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (775) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: libraries/f0f/ (775) | libraries/f0f/form/ (775) | libraries/f0f/form/field/ (775) | libraries/f0f/form/header/ (775) | libraries/f0f/input/ (775) | libraries/f0f/query/ (775) | libraries/f0f/toolbar/ (775) | libraries/foxcontact/ (775) | libraries/foxcontact/foxhtml/ (775) | libraries/foxcontact/loader/ (775) |

Database statistics :: Uptime: 2687328 | Threads: 4 | Questions: 37044703 | Slow queries: 61 | Opens: 29795 | Flush tables: 1 | Open tables: 400 | Queries per second avg: 13.784 |

Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_LINKS_JOOMLALINKS_TITLE (2.6.31) 1 | WF_LINK_SEARCH_TITLE (2.6.31) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.31) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.31) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.31) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.31) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.31) 1 | WF_POPUPS_WINDOW_TITLE (2.6.31) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.31) 1 | WF_PRINT_TITLE (2.6.31) 1 | WF_VISUALCHARS_TITLE (2.6.31) 1 | WF_FORMATSELECT_TITLE (2.6.31) 1 | WF_LINK_TITLE (2.6.31) 1 | WF_EMOTIONS_TITLE (2.6.31) 1 | WF_MICRODATA_TITLE (1.0.10) 1 | WF_IMGMANAGER_TITLE (2.6.31) 1 | WF_MEDIA_TITLE (2.6.31) 1 | WF_FONTCOLOR_TITLE (2.6.31) 1 | WF_STYLE_TITLE (2.6.31) 1 | WF_PREVIEW_TITLE (2.6.31) 1 | WF_ARTICLE_TITLE (2.6.31) 1 | WF_FILEMANAGER_TITLE (2.1.9) 1 | WF_STYLESELECT_TITLE (2.6.31) 1 | WF_SPELLCHECKER_TITLE (2.6.31) 1 | WF_TABLE_TITLE (2.6.31) 1 | WF_SOURCE_TITLE (2.6.31) 1 | WF_FULLSCREEN_TITLE (2.6.31) 1 | WF_CONTEXTMENU_TITLE (2.6.31) 1 | WF_SEARCHREPLACE_TITLE (2.6.31) 1 | WF_IFRAME_TITLE (2.1.3) 1 | WF_FONTSELECT_TITLE (2.6.31) 1 | WF_CAPTION_TITLE (2.1.13) 1 | WF_NONBREAKING_TITLE (2.6.31) 1 | WF_MEDIAMANAGER_TITLE (2.0.16) 1 | WF_BROWSER_TITLE (2.6.31) 1 | WF_CLIPBOARD_TITLE (2.6.31) 1 | WF_ANCHOR_TITLE (2.6.31) 1 | WF_INLINEPOPUPS_TITLE (2.6.31) 1 | WF_HR_TITLE (2.6.31) 1 | WF_LISTS_TITLE (2.6.31) 1 | WF_CLEANUP_TITLE (2.6.31) 1 | WF_XHTMLXTRAS_TITLE (2.6.31) 1 | WF_CHARMAP_TITLE (2.6.31) 1 | WF_DIRECTIONALITY_TITLE (2.6.31) 1 | WF_VISUALBLOCKS_TITLE (2.6.31) 1 | WF_FONTSIZESELECT_TITLE (2.6.31) 1 | WF_AUTOSAVE_TITLE (2.6.31) 1 | WF_KITCHENSINK_TITLE (2.6.31) 1 | WF_TEXTCASE_TITLE (2.6.31) 1 | WF_IMGMANAGER_EXT_TITLE (2.0.32) 1 | WF_LAYER_TITLE (2.6.31) 1 |

Components :: ADMIN ::
Core :: com_fields (3.7.0) 1 | com_languages (3.0.0) 1 | com_content (3.0.0) 1 | com_redirect (3.0.0) 1 | com_plugins (3.0.0) 1 | com_finder (3.0.0) 1 | com_checkin (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_weblinks (3.6.0) 1 | com_config (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_banners (3.0.0) 1 | com_categories (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_installer (3.0.0) 1 | com_ajax (3.2.0) 1 | com_admin (3.0.0) 1 | com_cache (3.0.0) 1 | com_tags (3.1.0) 1 | com_cpanel (3.0.0) 1 | com_templates (3.0.0) 1 | com_messages (3.0.0) 1 | com_users (3.0.0) 1 | com_search (3.0.0) 1 | com_menus (3.0.0) 1 | com_modules (3.0.0) 1 | com_associations (3.7.0) 1 |
3rd Party:: RokGallery (2.42) 1 | COM_FOXCONTACT (3.4.2) 1 | COM_J4SCHEMA (5.3.0) 1 | J4Schema (2.1.0) 1 | ImageShow (5.0.9) 1 | ImageShow (5.0.9) 1 | RokSprocket (2.1.23) 1 | com_slideshowfx (6.09.00) 0 | COM_JCE (2.6.31) 1 | COM_GANTRY (4.1.35) 1 | COM_OSMAP (4.2.18) 1 | COM_SPAMPROTECT (1.1.0) 1 |

Modules :: SITE ::
Core :: mod_custom (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_search (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_weblinks (3.6.0) 1 | mod_languages (3.5.0) 1 | mod_finder (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_login (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_menu (3.0.0) 1 |
3rd Party:: JSN ImageShow (5.0.9) 1 | Flickrberry (1.0.0) 1 | RokMiniEvents3 (3.0.3) 1 | mod_slideshowfx (6.09.00) 0 | mod_eprivacy (2.14) 0 | mod_jbcookies (3.0.9) 1 | RokAjaxSearch (2.0.4) 1 | RokGallery Module (2.42) 1 | Insert Article (1.8) 1 | RokWeather (2.0.4) 1 | RokNavMenu (2.0.9) 1 | Brilliant Instajoom (1.0.0) 1 | RokFeatureTable (1.7) 1 | RokSprocket Module (2.1.23) 1 | MOD_FOXCONTACT (3.4.2) 1 | mod_viktripadvisorreview (2.0) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_status (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_login (3.0.0) 1 | mod_title (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_menu (3.0.0) 1 |
3rd Party:: JSN ImageShow Quick Icons (5.0.9) 1 |

Plugins :: SITE ::
Core :: plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_languagefilter (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_debug (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_weblinks (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_weblinks (3.6.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 |
3rd Party:: Editor - RokPad (2.1.9) 1 | plg_editors_tinymce (4.5.8) 1 | plg_editors_codemirror (5.38.0) 1 | plg_editors_jce (2.6.31) 1 | Button - ImageShow (5.0.9) 1 | Button - RokGallery (2.42) 1 | plg_editors-xtd_sourcerer (7.2.0) 1 | PLG_USER_SPAMPROTECT (1.0.2) 1 | Content - JSN ImageShow (5.0.9) 1 | plg_sfx (6.09.03) 0 | plg_content_foxcontact (3.4.2) 1 | PLG_SIGE (3.2.4) 1 | plg_content_jce (2.6.31) 1 | Content - RokInjectModule (1.7) 1 | System - JSN ImageShow (5.0.9) 1 | System - Gantry 4 (4.1.35) 1 | PLG_SYSTEM_FMALERTCOOKIES (1.3.5) 0 | PLG_SYS_ADMINEXILE (2.3.6) 1 | PLG_SYS_HEADTAG (2.5) 0 | System - RokGallery (2.42) 1 | plg_system_sourcerer (7.2.0) 1 | System - RokNavMenu Export (2.0.1) 1 | PLG_SYS_MOOTABLE (1.1.2) 1 | System - JCE MediaBox (1.2.9) 1 | System - RokExtender (2.0.0) 1 | Abivia.net SuperTable Free Plu (2.0.5) 1 | System - RokSprocket (2.1.23) 1 | plg_system_jsnframework (2.0.2) 1 | plg_system_regularlabs (18.2.10140) 1 | plg_system_jce (2.6.31) 1 | System - RokCommon (3.2.5) 1 | CacheControl (1.1) 0 | plg_system_ossystem (1.3.0) 1 | PLG_RESPONSIVESCROLLINGTABLES (1.2.2) 0 | System - Microdata or RDFa sem (0.1.0) 1 | PLG_SYS_EPRIVACY (2.14) 0 | Theme Flow (1.1.3) 1 | Theme Slider (1.2.8) 1 | Theme Flip (1.0.2) 1 | Theme Masonry (1.0.7) 1 | Theme Grid (1.2.8) 1 | Source Joomgallery (1.0.4) 1 | Theme Pile (1.0.5) 1 | Source Picasa (1.1.8) 1 | Theme Strip (1.1.4) 1 | Theme Carousel (1.1.5) 1 | Theme Classic (1.4.1) 1 | Installer - J4Schema (1.0.0) 1 | plg_installer_jce (2.6.31) 1 | OSMap - Virtuemart Plugin (3.3.0) 0 | OSMap - WebLinks Plugin (3.3.0) 1 | OSMap - SobiPro Plugin (3.3.0) 0 | PLG_OSMAP_JOOMLA (4.2.18) 1 | OSMap - Mosets Tree Plugin (3.3.0) 0 | OSMap - Kunena Plugin (3.3.0) 0 | OSMAP_PLUGIN_K2 (3.3.0) 0 | plg_extension_jce (2.6.31) 1 | plg_fields_mediajce (2.6.31) 1 | plg_quickicon_jce (2.6.31) 1 |

Templates :: SITE :: rt_osmosis (1.9) 1 | protostar (1.0) 0 | beez3 (3.1.0) 0 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |

[toivo]

You should keep the third party extensions uptodate, for example Fox Contact Form 3.4.2 - the current version is 3.8.1.

The list of elevated permissions has several folders with permissions 775 when they should be 755.

You could use a service to audit the site, for example myJoomla.com, where the first audit is free.

[danjde]

Hi @toivo and thanks for your kind help!
I've fixed the folders permission and soon upgrade Fox Contact.

in relation to my original question, is there a way to detect the script that uses "class.phpmailer.php"?

Many thanks again!

Davide

[toivo]

Methods in the script libraries/vendor/phpmailer/phpmailer/class.phpmailer.php like isMail(), isSMTP() and send() used by the Joomla! core and most extensions that utilise Joomla's Mail class, which extends the PHPMailer class.

[sozzled]

I don't know whether this may be helpful to the situation but I've observed many [unsuccessful] attempts to probe a few of the websites that I manage by seeking the existence of the Fox Contact component. It seems that this component is a popular one among would-be hackers attempting to infiltrate unprotected websites that have not been properly maintained.

I rarely use "contact forms" myself—they're usually more trouble than they're worth because of the likelihood that most of the time the emails they generated are time-wasting questions or spam. However, if I did want to use a contact form, I probably would not choose Fox Contact because it has had a checkered history of exploitation. I'm not saying that the current version of Fox Contact is unreliable—I have no idea whether it is or whether it isn't—and I don't want to cast doubt on the sincerity of its developer to rectify weaknesses that have been discovered in the past, but I would suggest that people exercise caution in two areas:

1) Contact forms are notorious sources of spam; and

2) Visits to your websites from yandex.ru are also notorious sources of spam.

It's entirely an individual choice whether to use contact forms or allow contact forms to be used by yandex.ru email addresses. Having written that, contact forms and yandex.ru email addresses are not without creating problems for website owners.

[danjde]

Thanks to @toivo for his tips (I've done a free audit by myJoomla.com, but it did not find any significant things)!
And thanks to @sozzled for his advice around the contact forms.

I've set some right (as myJoomla.com suggest) Joomla options, where:

email to friend --> OFF
text filtering settings to not allow the default Administrator user group to enter unfiltered content
block Flash files to be uploaded through Joomla
set Error Reporing in Joomla's Global Configuration to None
remove "Never Logged In" Accounts
set 'display_errors' on PHP.ini ---> OFF
set the session.gc_probability value to 1


many thanks to all

[PhilTaylor-Prazgod]

I've done a free audit by myJoomla.com, but it did not find any significant things

Factually incorrect.

The audit actual shows a LOT wrong with your out-of-date site.

I'm not going to out you here, but I suggest you review the Snapshot and Audit results again, as there is clear actionable things that you have not fixed and will allow spamming.

[danjde]

Maybe I didn't express myself correctly.
The audit helped me a lot in the correct configuration of the site.
What I wanted to say is that it not show me modified software to send spam.
Probably the problem was in the settings (of my site) too permissive.

Now I keep under control the situation and then update the post.

Thanks to all!

Davide

[PhilTaylor-Prazgod]

But still you have left the "Mail To Friend" feature of Joomla core enabled, which allows the kind of spam you are reporting as having...

The audit CLEARLY tells you that.

[danjde]

But still you have left the "Mail To Friend"

No, I've disabled it, as suggested.
Look here: https://www.veronalive.it/agenda/arte-e ... zione.html
or here: https://www.veronalive.it/primo-piano/t ... 34437.html

Thanks a lot!

[danjde]

Nothing!
I've seen today that a mail (spam) was started anyway.

Code: Select all

[11-Aug-2018 07:44:37 Europe/Berlin] mail() on [/var/www/veronalive.it/public_html/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:702]: To: [email protected] -- Headers: Date: Sat, 11 Aug 2018 07:44:37 +0200 From: "Redazione veronalive.it" <[email protected]> Reply-To: JalonHoM <[email protected]> Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit

I was started a previous thread on Joomla Italy , where they said that this issue is caused to a human intervention and so unmanageable...

Mah!?

But is it not possible to prevent class.phpmailer.php mailing to these addresses? A sort of blacklist?

Thanks again

[danjde]

Hi Friends,
I inform you that for over a month no recorded spam activity!
I followed @PhilTaylor-Prazgod prescriptions (by myJoomla.com audit), in particular by disabling "Mail To Friend" I think it's resolutive. I think that such function should be disabled by default on each release.

If the spam should resume, I will report to you!


Thanks to all!

Davide

[JAVesey]

I inform you that for over a month no recorded spam activity!
I followed @PhilTaylor-Prazgod prescriptions (by myJoomla.com audit)...

Good news re: spamming (lack of) and also that you have followed expert advice after seeking it

Have you taken the opportunity to review/audit and update all your 3rd-party extensions to their current version? Remember that not all extensions use Joomla's built-in update notification service so you will have to manually review and update these.

[dangling]

I also have this issue. Where do I disable Mail To Friend ?
Thanks

[PhilTaylor-Prazgod]

Watch the awesome video from BasicJoomla here:

https://www.[youtube].com/watch?v=GQ1M59GdKK8

[sozzled]

@dangling (and others): see the documentation https://docs.joomla.org/J3.x:Joomla_3.8 ... _to_Friend

[dangling]

Ok I already disable that by default, thought it was something I didnt know about. Cheers
Paul