Spam emails

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
floppy900
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Thu Oct 21, 2010 4:42 pm

Spam emails

Post by floppy900 » Tue Nov 12, 2019 2:56 pm

Hi people can anyone tell me how to stop someone sending spam emails from the website.
The only people that have access are committee members of the fishing club and most are old farts like me who can just about use a computer for emails and stuff.
Many thanks.
Floppy900 (Terry)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2778
Joined: Sun May 04, 2008 12:37 pm

Re: Spam emails

Post by waarnemer » Tue Nov 12, 2019 3:28 pm

you do have a contact form on your site? You probably do.
make sure to set a captcha of any kind.
the core captchas need a google api key
but there also is a very good non intrusive one by michael richey: hashcash.
https://extensions.joomla.org/extension/hashcash/

floppy900
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Thu Oct 21, 2010 4:42 pm

Re: Spam emails

Post by floppy900 » Tue Nov 12, 2019 3:47 pm

Thanks for the reply, I will try it out.
Thanks.
floppy900 (Terry)

floppy900
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Thu Oct 21, 2010 4:42 pm

Re: Spam emails

Post by floppy900 » Tue Nov 12, 2019 4:51 pm

Hi, it looks like the forum is sending out spam, I have set up the hashcash to see if that will stop it, I also went through all the members and deleted any that logged in today, to see if they will re register.
Thanks.
floppy900 (Terry)

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12770
Joined: Thu Feb 15, 2007 5:48 am
Location: Zagreb, Croatia

Re: Spam emails

Post by toivo » Wed Nov 13, 2019 12:29 am

floppy900 wrote:it looks like the forum is sending out spam
It would help the experts here to assist you if we knew more about your website, for example its URL, but at least the version of Joomla and the forum extension.

You should also post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs/.
Toivo Talikka, Global Moderator

floppy900
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Thu Oct 21, 2010 4:42 pm

Re: Spam emails

Post by floppy900 » Wed Nov 13, 2019 1:50 pm

Sorry, here is the info.
It looks like the forum is sending out spam and I have no idea on how to stop it.
https://www.exeteranglingassociation.co.uk/
Kunena v:5.0.7
and the Joomla is up to date with the latest installed.
Thanks.
Floppy900 (Terry)

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12770
Joined: Thu Feb 15, 2007 5:48 am
Location: Zagreb, Croatia

Re: Spam emails

Post by toivo » Wed Nov 13, 2019 2:30 pm

Your version of Kunena is out of date and misses several security fixes. The latest version is 5.1.15. At this stage, in the absence of the requested FPA results, your best bet is to update Kunena.
Toivo Talikka, Global Moderator

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9692
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam emails

Post by sozzled » Wed Nov 13, 2019 7:51 pm

Thank you for your question, @floppy990.

floppy900 wrote:
Tue Nov 12, 2019 2:56 pm
Can anyone tell me how to stop someone sending spam emails from the website?
Anyone who has a publicly-accessible contact form on a website is sending an open invitation to anyone to use it for whatever purpose they desire—honestly or dishonestly, for good or bad, for making a genuine request or for making a disingenuous request. That's what happens.

CAPTCHA (or some other "anti-spam" mechanism) is usually ineffective.

So the first point to make is simple: why have a contact form if it's likely to be abused? If you can answer that question, if there's the likelihood that a contact form will be abused is low, then go ahead and make such a mechanism available.

I'm not a believer in contact forms myself—certainly not ones that are publicly-accessible—and the risks of their misuse outweighs any advantages. To minimise this risk, don't make these things publicly-accessible; confine their use to only registered users. In other words, require that people need to register an account and login before they can use the contact form. And what if you think that people may need to contact you before they create an account? Well, if they're genuine (and if you've publicised the advantages to people of the benefits of joining your organisation even if only to ask a few questions) then have some faith that people will create an account.

The second opportunity for spammers is your forum. No, it is of little importance that your forum software is not the most-current version (even if it makes good sense to keep the software up-to-date) or that the forum is not [initially] "open" to the public but the fact that you have a forum, and the only obstacle in the path of would-be spammers is that they need to create an account and login to use it, is not a reason to be complacent.

It doesn't matter what forum software you're using. For example, this forum (at forum.joomla.org) is bombarded with junk many times a day. So if it can happen here, it can happen anywhere.

If you want to stop spam then you need to stop it at the source. You need to put in place mechanisms, other requirements, that require people to comply with additional conditions before they can register themselves. You might also do some research into how to prevent forum spam by looking here: https://google.com/search?q=%22How+to+stop+fo ... ena%22&s=g

floppy900 wrote:
Tue Nov 12, 2019 4:51 pm
I ... went through all the members and deleted any that logged in today, to see if they will re register.
This is the third area you should look at. Your website allows anyone to self-register and the only "obstacle" in their way (it would appear) is to deal with the CAPTCHA challenge. So, basically, anyone can enter any name, email address (real or not) and meet the CAPTCHA challenge and, hey-presto, they're in! Once they're in, they can use your forum or any other facilities offered by your website to post spam or send junk mail.

floppy900 wrote:
Tue Nov 12, 2019 2:56 pm
The only people that have access are committee members of the fishing club ...
OK, if that's what you want then enforce it. If you only want committee members of your organisation to access your site, then don't offer a means of self-registration. Require that all new members of your site need to be vetted before they're allowed to login. I can't decide what's best for you; you have to figure out what you want your website to be for yourself.'

Just for the record:
  1. I am not affiliated with the Kunena project.
  2. I manage several websites, my own and with other people, using different (including outdated) versions of Kunena
  3. Spam is not confined to Joomla or Kunena
  4. I see dozens of attempted assaults on my websites every day but none of these are successful (touch wood that will continue)
In summary, there's no one-size-fits-all solution. CAPTCHA challenges are, in my opinion, a waste of time; they're a minor "inconvenience", perhaps, to would-be spammers w.r.t. preventing some spam but they're not a cure; CAPTCHA challenges are easily overcome. There is no evidence that K 5.0.7 is any less secure than K 5.1.15 (but it doesn't hurt to update it).

I hope this helps. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2778
Joined: Sun May 04, 2008 12:37 pm

Re: Spam emails

Post by waarnemer » Wed Nov 13, 2019 9:21 pm

sozzled wrote:
Wed Nov 13, 2019 7:51 pm
CAPTCHA (or some other "anti-spam" mechanism) is usually ineffective.
This needs some explanation....

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9692
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam emails

Post by sozzled » Wed Nov 13, 2019 9:37 pm

@waarnemer: I'm not going to get into a "panel discussion" about what other people may think about CAPTCHA, honeypots, or other so-called spam prevention mechanisms. Everyone has different opinions (and I respect those opinions) just as I hope people will also respect that I'm entitled to my own opinion, too.

I have not once found a CAPTCHA or spam preventative mechanism that is reliable, that's a one-size-fits-all solution, that's totally effective or that is abuse-proof. If that were the case then why isn't the Joomla! forum (forum.joomla.org) using it? ??? ??? Perhaps you might be able to give some explanation about why there's so much spam here at forum.joomla.org (because this forum also uses CAPTCHA together with other mechanisms)?
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2778
Joined: Sun May 04, 2008 12:37 pm

Re: Spam emails

Post by waarnemer » Wed Nov 13, 2019 9:46 pm

@sozzled
well for this forum it counts as follows...once in, no captcha... off you go...
think; it is the google captcha that doesn't ask always for you to solve the riddle, it sometimes just accepts you are human by just check the box.....so you can have two types of spammers here... the real human selling his services to get your page ranked as high as possible... (no way he can!) and the ones that use a bot to sell me the ideal medicine for my lovelife.... the ones that break through the google captchas....

for the usual bot it is hard work to solve a javascript riddle... that is why I advise the hashcash method... bit indeed, the hascash cannot beat the manual spammer... it can beat the bots though...

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 9692
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Spam emails

Post by sozzled » Wed Nov 13, 2019 9:59 pm

Again, while this side-bar "panel discussion" may be entertaining, in my opinion, this is not the best place to be having it and it's hijacking the OP's topic.

The original question was simple:
floppy900 wrote:
Tue Nov 12, 2019 2:56 pm
Can anyone tell me how to stop someone sending spam emails from the website?
There are solutions. CAPTCHA helps a little ... but it's ineffective at stopping the spread of spam. If people want to stop spam then one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home.

@floppy990: I'm sorry about the unfortunate foregoing panel discussion at your expense. Please look at my earlier response (a few messages ago) and decide for yourself.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2778
Joined: Sun May 04, 2008 12:37 pm

Re: Spam emails

Post by waarnemer » Wed Nov 13, 2019 10:14 pm

@sozzled is right... to avoid hijacking... but I'm curious..

viewtopic.php?f=48&t=975730#p3586145


Post Reply

Return to “Security in Joomla! 3.x”