Getting bombarded with spam emails via Joomla
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Enthusiast
- Posts: 126
- Joined: Sun Apr 09, 2006 6:42 am
- Location: Bruny Island, Tasmania
Getting bombarded with spam emails via Joomla
Hello, my client is receiving hundreds of spam emails with the subject, Undelivered Mail Returned to Sender
The message itself is
Subject:
Copy of: ПОПОЛНЕНИЕ ВАШЕГО ЛИЧНОГО СЧЕТА #2672896
From:
"Aussie Princess" <[email protected]>
Date:
3/16/2018 2:45 AM
To:
<[email protected]>
This is a copy of the following message you sent to Aussie Princess via Aussie Princess Luxury Boat Charters
This is an enquiry email via http://aussieprincess.com.au/ from:
Леночка Козлова <[email protected]>
hxxps://api[.]monosnap[.]com/rpc/file/download?id=HQc7moTAL23OboieIfi5VcNLPWVGCA
Is this happening as a result of the site (Joomla 3.8.6) being hacked? What can I do to stop this torrent of emails?
Any advice would be appreciated.
Thanks, JR
The message itself is
Subject:
Copy of: ПОПОЛНЕНИЕ ВАШЕГО ЛИЧНОГО СЧЕТА #2672896
From:
"Aussie Princess" <[email protected]>
Date:
3/16/2018 2:45 AM
To:
<[email protected]>
This is a copy of the following message you sent to Aussie Princess via Aussie Princess Luxury Boat Charters
This is an enquiry email via http://aussieprincess.com.au/ from:
Леночка Козлова <[email protected]>
hxxps://api[.]monosnap[.]com/rpc/file/download?id=HQc7moTAL23OboieIfi5VcNLPWVGCA
Is this happening as a result of the site (Joomla 3.8.6) being hacked? What can I do to stop this torrent of emails?
Any advice would be appreciated.
Thanks, JR
Last edited by fcoulter on Fri Sep 28, 2018 10:15 am, edited 1 time in total.
Reason: edited link to prevent automatic link creation
Reason: edited link to prevent automatic link creation
- creativesights
- Joomla! Guru
- Posts: 642
- Joined: Tue Jan 13, 2009 11:50 pm
- Location: San Diego, California, USA
- Contact:
Re: Getting bombarded with spam emails via Joomla
You could turn off email sending in the global configuration. It's aggressive, but you're website won't be able to send any email. Additionally it will help confirm whether or not the email is actually coming from the site.
We use Admin Tools Pro on a lot of sites, if you can identify the IP that's on the site, you can block it. Your hosting company can often be a good resource with blocking traffic like that also.
We use Admin Tools Pro on a lot of sites, if you can identify the IP that's on the site, you can block it. Your hosting company can often be a good resource with blocking traffic like that also.
Andrew Crossan
CreativeSights
Professional Custom Website Design & Development in San Diego
https://www.creativesights.com
CreativeSights
Professional Custom Website Design & Development in San Diego
https://www.creativesights.com
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Getting bombarded with spam emails via Joomla
There are many topics on this forum that discuss spam and spam emails. I suggest that you use the Joomla forum search search.php
This question is not unique to any specific version of Joomla.
This question is not unique to any specific version of Joomla.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Getting bombarded with spam emails via Joomla
To be clear about this, it does not mean that your site has been hacked.
It looks as if the spammer is trying to abuse the function that allows the user to send a copy to themselves of a message sent through the contact form.
You can actually turn off the display of the checkbox on the contact form that allows this in the contacts component options. I am not sure though if that stops the email itself from being sent, I guess you would have to try it to see.
Otherwise you can try enabling re-captcha on the contact form, that is usually quite effective. You just need to enable the recaptcha plugin, get some keys (see https://www.google.com/recaptcha/intro/android.html), and set this as the default captcha for your site.
It looks as if the spammer is trying to abuse the function that allows the user to send a copy to themselves of a message sent through the contact form.
You can actually turn off the display of the checkbox on the contact form that allows this in the contacts component options. I am not sure though if that stops the email itself from being sent, I guess you would have to try it to see.
Otherwise you can try enabling re-captcha on the contact form, that is usually quite effective. You just need to enable the recaptcha plugin, get some keys (see https://www.google.com/recaptcha/intro/android.html), and set this as the default captcha for your site.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sat Jun 19, 2010 7:14 am
Re: Getting bombarded with spam emails via Joomla
Hello, I got same issue with 3.7.3 standard contacts plugin. The message that automatically arrive to my admin mail is "Delivery Status Notification (Failure)"... with some specific strange email in cirillic or chinese from xxxxxxxx.ru
Did you fix it or not ?
Is it only sent to administator ? It's the only user as far now.
Thanks
Did you fix it or not ?
Is it only sent to administator ? It's the only user as far now.
Thanks
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Getting bombarded with spam emails via Joomla
then you are using an out of date vulnerable version of joomla.giovannino wrote:Hello, I got same issue with 3.7.3
there is nothing for the developers of joomla to fix, the fix is with the adminsitrators of the website that uses joomla .Did you fix it or not ?
well i think you will find its actually sent to the email address listed for the the administrator or the reply to address for the website.Is it only sent to administator ? It's the only user as far now.Thanks
see the answers and suggestions above for how to get you to sort your site out.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Intern
- Posts: 62
- Joined: Mon Dec 25, 2006 3:23 am
Re: Getting bombarded with spam emails via Joomla
I was getting the same email spam. I contacted my host who gave the reply below. Thought it might be helpful to share:
Note that one of the sites does not have a contact form, but is still, apparently, vulnerable.
------------------------
Hello,
Thank you for all the information and for including the bounceback. According to the bounceback this email originated from your Joomla installation (/home/xxxxxxxxxxxxx/public_html/index.php).
This specific email is very familiar, as it states the following:
"This is an enquiry email via http:// xxxxxxxxx .com/ from:"
This is typically due to the contact form on your Joomla site being abused. I do see that your contact form uses a form of a captcha. The spammer could potentially be getting through this captcha, or there could be another form (even if it's hidden from the website) that the spammer is taking advantage of. Joomla has built in functionality of 'Send a copy to form submission address' that will email a copy of the email to the person submitting the form.
I don't see the checkbox for this on the site like it usually is, but I'm guessing the spammer is sending the POST request with the send copy attribute included in the POST data. It looks like there is a work around by renaming the component (components/com_mailto/) to something different (like components/com_mailto_DISABLED/).. but this could break some email functionality for the website potentially.
I'd recommend that you contact Joomla for their best recommendation.
Note that one of the sites does not have a contact form, but is still, apparently, vulnerable.
------------------------
Hello,
Thank you for all the information and for including the bounceback. According to the bounceback this email originated from your Joomla installation (/home/xxxxxxxxxxxxx/public_html/index.php).
This specific email is very familiar, as it states the following:
"This is an enquiry email via http:// xxxxxxxxx .com/ from:"
This is typically due to the contact form on your Joomla site being abused. I do see that your contact form uses a form of a captcha. The spammer could potentially be getting through this captcha, or there could be another form (even if it's hidden from the website) that the spammer is taking advantage of. Joomla has built in functionality of 'Send a copy to form submission address' that will email a copy of the email to the person submitting the form.
I don't see the checkbox for this on the site like it usually is, but I'm guessing the spammer is sending the POST request with the send copy attribute included in the POST data. It looks like there is a work around by renaming the component (components/com_mailto/) to something different (like components/com_mailto_DISABLED/).. but this could break some email functionality for the website potentially.
I'd recommend that you contact Joomla for their best recommendation.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Mar 29, 2019 6:52 pm
Re: Getting bombarded with spam emails via Joomla
Technically the error is not within Joomla, checking com_contact/controllers/contact.php revealed no flaws. However the ability to directly access a component apart from the menu structure carries serious caveats.
Any publicly available contact can be called directly using:
The main issue here is paying close attention to the configuration of the contacts component. If neither within global configuration, nor within the contact settings the mail form has been disabled, it will be displayed.
Say you'd want to make a single contact publicly available by adding a menu item using "Single Contact", it is not enough to hide the contact form within that menu item's settings - using the above link in combination to that contact's id will show the contact form.
A short hint to this circumstance within the description of the menu item's configuration would be appreciatable.
Recommendation: If your site does not require sending mails, disable it within global configuration and ideally within php.ini by adding disable_functions = mail. If your server allows further unrequired functions by default (e.g. exec), consider to disable these as well.
Any publicly available contact can be called directly using:
Code: Select all
/index.php?option=com_contact&view=contact&id=123
Say you'd want to make a single contact publicly available by adding a menu item using "Single Contact", it is not enough to hide the contact form within that menu item's settings - using the above link in combination to that contact's id will show the contact form.
A short hint to this circumstance within the description of the menu item's configuration would be appreciatable.
Recommendation: If your site does not require sending mails, disable it within global configuration and ideally within php.ini by adding disable_functions = mail. If your server allows further unrequired functions by default (e.g. exec), consider to disable these as well.
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Getting bombarded with spam emails via Joomla
Joomlas master htaccess has a spam filter for words it works only from mails sent from the site, but you have to change to a unique word in your spam mails:
########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b([* spam *]|blue\spill|[* spam *]|[* spam *]|ejaculation|[* spam *])\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|[* spam *]|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|[* spam *]|vicodin|xanax|ypxaieo)\b [NC]
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude
########## End - Basic antispam Filter, by SigSiu.net
https://github.com/nikosdion/master-hta ... access.txt
########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b([* spam *]|blue\spill|[* spam *]|[* spam *]|ejaculation|[* spam *])\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|[* spam *]|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|[* spam *]|vicodin|xanax|ypxaieo)\b [NC]
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude
########## End - Basic antispam Filter, by SigSiu.net
https://github.com/nikosdion/master-hta ... access.txt
-
- Joomla! Intern
- Posts: 62
- Joined: Mon Dec 25, 2006 3:23 am
Re: Getting bombarded with spam emails via Joomla
... and if it does require sending emails?stereosurround wrote: ↑Fri Mar 29, 2019 7:11 pmRecommendation: If your site does not require sending mails, disable it within global configuration and ideally within php.ini by adding disable_functions = mail. If your server allows further unrequired functions by default (e.g. exec), consider to disable these as well.
-
- Joomla! Apprentice
- Posts: 40
- Joined: Wed Mar 16, 2016 12:49 pm
Re: Getting bombarded with spam emails via Joomla
Gotta say, some of the defenses here of "Joomla" are a little overboard. If you don't have something helpful to contribute... why?
This is clearly a problem. I have experienced it for a while on two different sites, and I am just trying to find a way to stop it.
I have switched forms, I have secured my mail requiring authentication, I have added captcha, I have removed the contact form from the one contact available.
Nothing has stopped it. We need some help, not people saying its our fault.
This is clearly a problem. I have experienced it for a while on two different sites, and I am just trying to find a way to stop it.
I have switched forms, I have secured my mail requiring authentication, I have added captcha, I have removed the contact form from the one contact available.
Nothing has stopped it. We need some help, not people saying its our fault.
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Getting bombarded with spam emails via Joomla
Against spam this plugin is better than Captcha. It is a mathematical problem:
https://extensions.joomla.org/extension ... heck-plus/
https://extensions.joomla.org/extension ... heck-plus/
- paulala
- Joomla! Explorer
- Posts: 303
- Joined: Sat Oct 30, 2010 12:32 pm
- Location: Scotland
- Contact:
Re: Getting bombarded with spam emails via Joomla
@evilded Do you still have this problem. Could you share details if so?
Warm Regards,
Paula Livingstone, Skydiving Instructor and Network Security Consultant
https://paulalivingstone.com
http://rustyice.co.uk
Paula Livingstone, Skydiving Instructor and Network Security Consultant
https://paulalivingstone.com
http://rustyice.co.uk