Spam issues from Joomla Topic is solved

[semmerket]

Hi, everyone!

I have a security problem with Joomla that is taking away my nights sleep.

There is a website belonging to a client of mine that is receiving frequent spam. The attacks began on January 24th.

The site was on Joomla version 4.4.10 on a Linode VPS that I configured myself with ISPConfig. The site has RSFirewall with a 100 rating in the site analysis and I have not had any warnings of intrusion.

I know the spam is coming from the site because it is being sent from Sendgrid which is the system I chose to send the site's transactional emails. I already tried switching to another email sending system (Brevo) and the spam continued.

I have already done everything to try to resolve the problem. I've already looked at the Joomla logs, disabled extensions that could be causing the problem, updated all extensions, updated Joomla. Nothing resolved.

Finally, I decided to take a radical step and redid the site completely from scratch, in Joomla 5, reinstalling all the extensions from scratch, changing all the passwords, including Sendgrid, and installing it on a new VPS updated and configured from scratch.

The emails have decreased a lot, but I received spam in the same way, this morning, which makes me think that there may be some undetected security flaw in Joomla that allows this type of attack.

Could you help me with ways on how I could find where this failure is coming from?

Thank you in advance!

[Per Yngve Berg]

Have you Disabled the Contact Component?

[semmerket]

Yes! I don´t use the contact component on any of my sites. So is one of the first things that I do: disable the contact component. I use the RSForms Pro instead.

[AMurray]

Do you have a captcha plugin enabled - Google Recaptcha, Cloudflare Turnstile, HCaptcha (etc)?

I would think if it is a security flaw, everyone would be experiencing it. Just wondering if SendGrid might be contributing to it. Try using normal Sendmail, PHPMail or another SMTP Server. Have you reviewed the email logs on SendGrid? Since that is what is ultimately sending the email. How do you know "Sendgrid" is not the problem?

Could you (for sake of testing) try the standard form-email methods such as PHPMail, Sendmail or another SMTP server (which I assume is what Sendgrid is - a third-party SMTP email service?)

[Webdongle]

If your form has 'send copy to sender' then a spammer can put 100 +email addresses in that field. All those email addresses will get emails from your site.

[semmerket]

Do you have a captcha plugin enabled - Google Recaptcha, Cloudflare Turnstile, HCaptcha (etc)?

I would think if it is a security flaw, everyone would be experiencing it. Just wondering if SendGrid might be contributing to it. Try using normal Sendmail, PHPMail or another SMTP Server. Have you reviewed the email logs on SendGrid? Since that is what is ultimately sending the email. How do you know "Sendgrid" is not the problem?

Could you (for sake of testing) try the standard form-email methods such as PHPMail, Sendmail or another SMTP server (which I assume is what Sendgrid is - a third-party SMTP email service?)

Yes! I have used Google Recaptcha v3 and changed to Turnstile, without success in both cases.

I suppose that the problem isn´t the Sendgrid because when I changed to Brevo the spams simply continues as if nothing had changed at all.

But, I can test with another SMTP email service just to test.

[semmerket]

If your form has 'send copy to sender' then a spammer can put 100 +email addresses in that field. All those email addresses will get emails from your site.

It seems that it´s not the case, because Sendgrid would be show me that number of sent email... And the spammer is just sending one email to the same sender email. They was sending at a 5 min interval rate. And when I changed the server that stopped, but I noticed one single email has been sent after the change. So, I assume that the flaw still is there...

[semmerket]

I have found the breach used by the spammer. I have change every subject in the forms present on the site to identify the origin of the spam, if it were been sent from one of them. Bingo!

It was caused by the WhatsApp Multi Agent module by TemplatePlazza. The module has a form that is used when the WhatsApp is offline. The version that I was using in that site was 1.6 that appears to be compromised in the form. The actual version 1.7 seems to resolve the flaw.

Quest resolved! Thanks everybody!

[AMurray]

Thanks for the update and solution.

[Per Yngve Berg]

It has not been reported to the VEL.

[Webdongle]

Perhaps nobody noticed. Or the devs updated but didn't say it was a security fix?

[mandville]

nothing from VEL
current topic https://templateplazza.com/forums/techn ... h-detected
changelog

Version 1.7.0 - 05-11-24
+ Added ReCaptcha v3 for anti spam option
- Fixed Repetition rule issue for J4/J5 version

Version 1.6.1 - 15-06-24
- Fixed compatibility issue for J4/J5 version

Version 1.6.0 - 04-11-23
+ A version for Joomla 5 without the Backward Compatibility Plugin is now available.
- Improved PHP 8.x support.
* jQuery dependency has been removed, so it will now work without jQuery (J3, J4, J5).

[semmerket]

After some tests with the plugin, I can confirm that is a security flaw from WhatsApp Multi Agent. Even with Recaptcha 2 or 3 enabled, the spammer found out a way to send email through the offline form. Even if the form is deactivated, the attacker can send email. I will contact Template Plazza to take a look at it.

[sikumbang]

Hi Semmerket, I’m not sure whether the issue has been successfully resolved based on our last conversation on the TemplatePlazza forum, but I have uploaded version 1.8.0 with a token check added to the form to enhance the offline form protection. Can you give it a try?