Page 1 of 1

Checklist for contact page hack using form maker lite

Posted: Mon Jul 08, 2019 8:51 am
by JohnSmithers
My contact email address is being spammed with false automated "contact us" messages. I am using form-maker lite.

I am using capcha but the contact emails seem to bypass this.

Not only do I receive a contact but immediately I receive a standard "mail undelivered" message from my mail server.

When I change the contact recipient I fix the challenge temporarily.

MY QUESTION/REQUEST IS: What are the standard checks I should do to resolve this?

Re: Checklist for contact page hack

Posted: Mon Jul 08, 2019 9:01 am
by sozzled
JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
My contact email address is being spammed with false automated "contact us" messages. I am using form-maker lite.
That's fairly usual. If you have a publicly accessible contact form then you're sending an open invitation to anyone to abuse it.

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
I am using captcha but the contact emails seem to bypass this.
This is also fairly usual. Where did you read that CAPTCHA is a guaranteed protection from automated scripts? CAPTCHA may slow things down (a bit) but it's next-to-useless.

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
Not only do I receive a contact but immediately I receive a standard "mail undelivered" message from my mail server.
This is also quite normal. The automated script transmits a fake (or disposable) email address. What else would you expect?

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
[My question is] what are the standard checks I should do to resolve this?
I don't use contact forms. That's my approach (and it works). For the most part, contact forms are a waste of time. However, if you really cannot live without a contact form on your website then the secret is to put a barrier between the public and the form. The easiest way to do that is to only allow registered users access to the contact form.

But, if you don't want to go to the trouble of restricting access to the contact form to registered users then you'll just have to live with the fact that there's no guaranteed way of preventing these forms as a source of spam. Best of luck. :)

Re: Checklist for contact page hack

Posted: Mon Jul 08, 2019 9:11 am
by JohnSmithers
Thanks for that. I am noticing that my first email address is still being spammed, so changing the recipient did not work.

Are there any links - or any advice - for why these automated scripts are getting through?

Re: Checklist for contact page hack

Posted: Mon Jul 08, 2019 9:19 am
by sozzled
JohnSmithers wrote:
Mon Jul 08, 2019 9:11 am
Are there any links - or any advice - for why these automated scripts are getting through?
Well of course there are. All the information is available on (cue suspenseful mysterious music) ... the DARK WEB! *shudder*

To be totally honest with you (and, as I've written more times on this forum than I care to remember) most contact forms are a total and complete waste of time. I cannot remember anyone writing to me saying that they're generating income from their website through the use of public-facing contact forms. For those websites where there are contact forms, the information is often manually intercepted by staff members whose job is to pass-through the "legitimate" requests and trash the rubbish ones.

In conclusion, if you want to prevent the spam then you need to put up other barriers, such as requiring people to register as members of the website before they can use the contact form feature. That will reduce (but not eliminate) the spam. Or you can invest in sophisticated heuristic counter-spam mechanisms if you have the dough and the patience to learn them. It's your site, it's your business. Best of luck. :)

Re: Checklist for contact page hack using form maker lite

Posted: Wed Aug 07, 2019 9:42 am
by JohnSmithers
hmm. thanks for the response.

Got to be honest, as a small business I do get a lot of work through the contact form; maintaining teh simplest call to action I can. I know I'm put off dealing with a company when I first have to give email addresses etc to get a quote. Thinking on this I always thought they wanted my details, but I guess it is more to do spam protection (!)

Would be very useful for me to have some security links recognising what's going on, but again I guess once I know that the solutions you offer - such as the expensive heuristic option - is where I'd end up.

In short, thanks! :-)

Re: Checklist for contact page hack using form maker lite

Posted: Fri Aug 16, 2019 6:28 am
by PaulGee
Hi JohnSmithers,

Similar to sozzled, I also do not use contact forms on the majority of websites.
There is too much spam going around, too many spammers and it's too easy to spam generic contact forms.

I have a large number of web related email addresses and on a daily basis I receive emails similar to or in the same vein of the following:

From: ContactForm

Email: "redacted"
Phone: "redacted"

Subject: Mailing via the feedback form.

Message Body:
Good day!

We suggest
Sending your business proposition through the Contact us form which can be found on the sites in the contact section. Feedback forms are filled in by our software and the captcha is solved. The advantage of this method is that messages sent through feedback forms are whitelisted. This technique raise the probability that your message will be read.

Our database contains more than 25 million sites around the world to which we can send your message.

The cost of one million messages 49 USD

FREE TEST mailing of 50,000 messages to any country of your choice.

This message is automatically generated to use our contacts for communication.
Contact us.


As you can see, these spammers are canvassing for business and you can see one of the intents / methods of monetization of spam mail.
Notice how they claim that they use automated processes (software) to fill and send the forms and that they "solve" the captcha and also how many emails they can actually send.

People with little basic security knowledge would think that the above is a great deal.
Needless to say, if you responded to the above email you would end up on another of the spammers "active" lists :)

Re: Checklist for contact page hack using form maker lite

Posted: Fri Aug 16, 2019 6:31 am
by sozzled
@PaulGee: Yep! 8)

Re: Checklist for contact page hack using form maker lite

Posted: Fri Aug 16, 2019 6:49 am
by PaulGee
Hi JohnSmithers,

There is a possibility that the spam emails may not be actually being generated via "form-maker lite".

There has been a long standing issue with respect to the com_contact component being abused to send spam.
Please refer to this old topic...SPAM attack targeted to contact component... viewtopic.php?f=714&t=958667

If you are still having spam issues and if they are related to the abuse of the com_contact component, the temporary solution is in the above mentioned topic's thread.

Before instigating the temporary solution mentioned above, please be aware that in the Joomla 3.9.11 release update that there has been a security issue fix being "Low Priority - Core - Hardening com_contact contact form (affecting Joomla 1.6.2 through 3.9.10)".

I have personally not updated to Joomla 3.9.11 as yet and do not know if the fix in this version of Joomla has resolved the issue. If you are still having spam issues (related to the abuse of the com_contact component), update to Joomla 3.9.11 first and see if that resolves the issue.


The above is worth a try, in the event that the spammers are not CURRENTLY spamming via "form-maker lite".
If they are, you would need to look at other form builders that better sanitize inputs etc and as sozzled has mentioned utilize sophisticated heuristic counter-spam mechanisms.

Re: Checklist for contact page hack using form maker lite

Posted: Fri Aug 16, 2019 7:07 am
by sozzled
PaulGee wrote:
Fri Aug 16, 2019 6:49 am
I have personally not updated to Joomla 3.9.11 as yet and do not know if the fix in this version of Joomla has resolved the issue. If you are still having spam issues (related to the abuse of the com_contact component), update to Joomla 3.9.11 first and see if that resolves the issue.
Yes, I've seen you make that observation a few times today and I can't actually confirm the situation because the problem of spam generated from contact forms is not on my radar screen.

However, I've also seen several discussion topics on the forum recently where people have complained about nuisance/nonsense/spam emails they've received when they've used the Contacts component and each situation seems to be different from one another. For example, see viewtopic.php?f=714&t=958667 or viewtopic.php?f=714&t=972221.

As far as the changes made to J! 3.9.11 are concerned, see https://developer.joomla.org/security-c ... -form.html that discusses "incorrect access control" in disabled forms. So, no, it's not a cure-all for everything; it's a minor improvement that may affect a relatively small number of websites.

Next, I invite you to update to J! 3.9.11; it takes a few minutes to do this.

If we were to compile a "checklist" of what's involved with using contact forms, these would be the top five items on mine:
  1. Why?
  2. Who [by/for]?
  3. What [for]?
  4. Can it be done another way?
  5. Projected cost containment

Re: Checklist for contact page hack using form maker lite

Posted: Fri Aug 16, 2019 10:12 am
by PaulGee
@sozzled ... thank you for your thread

I will update all the Joomla sites from 3.9.10 to 3.9.11 in the next few days.
After a new Joomla update release, I usually wait up to a week before updating in the event that there bugs/glitches in the update . There have been occasions where a secondary update fixing the bugs/glitches was released a few days later. Additionally a Joomla update is usually followed (within a few days) by extension updates such as JCE. Waiting up to a week saves time and effort.

Looking in the forum at many of the spam issues, seems to point at the abuse of the com_contact component in different forms/fashions as the common denominator, even though the ops seem to be reporting different scenarios.

If you look back at my original 2# threads on viewtopic.php?f=714&t=958667 you will see that I mention that the spam occurred irregardless of whether forms were enabled or disabled and irregardless of other contact type settings. The only thing that stopped the spam was the disabling of the Component "Contacts" via: Joomla Control Panel >> Extensions >> Manage >> Manage >> "search for Contacts" >> "disable Contacts (type Component).

The spammers have become familiar with the ability to abuse the com_contact component to easily send spam mail.
As an aside, I have even checked in the "redirect" component (on sites where the com_contact component has been disabled) and noticed 404 entries from spammers still trying to access via the com_contact component.

I take on-board your comment "As far as the changes made to J! 3.9.11 are concerned, see https://developer.joomla.org/security-c ... -form.html that discusses "incorrect access control" in disabled forms. So, no, it's not a cure-all for everything; it's a minor improvement that may affect a relatively small number of websites."
I will try, if time permits, to have an in-depth look at the changes, as to whether the com_contact component can still be abused to send mail with the forms disabled (as has currently been the case).

In my original threads in April 2018 & September 2018, I advised of the above ability and also advised that many ops would not be aware that the com_contact component could be abused to send mail even when the "disabled" forms were not being used or displayed.
The same would apply, even when using another form builder in lieu of the Joomla "contact form" such as the op above using "form-maker lite", with the com_contact component enabled.

In my original threads I actually recommended that thought be given to disabling the com_contact component "by default" with warnings on activation.

It would make sense that anyone having significant spam issues should look at and eliminate the above as a possible cause for that spam first. It would take only a few minutes to disable the com_contact component and then see if the spam stops shortly thereafter.

I am like minded with you as to the non-necessity in the use contact forms on websites.
I generally avoid using them wherever I can and actively try to discourage others from using them as well.
I will only use them when a client strenuously insists, but only after warning them of the consequences of "mass spam mail". In these cases I also insist on a totally separate server and IP address for that Joomla website installation, so that any penalties remain confined to that IP and server.

Re: Checklist for contact page hack using form maker lite

Posted: Wed Aug 21, 2019 3:59 pm
by jeffhoneyager
Another way to disable it is via phpMyAdmin.

- view the extensions table
- edit com_contact
- change enabled to "0", change access to "0" and Protected to "0"
com_contact-phpmyadmin-change.png