Checklist for contact page hack using form maker lite

This forum is for general questions about extensions for Joomla! 3.x.

Moderators: pe7er, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
JohnSmithers
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 201
Joined: Mon Feb 11, 2013 9:22 am

Checklist for contact page hack using form maker lite

Post by JohnSmithers » Mon Jul 08, 2019 8:51 am

My contact email address is being spammed with false automated "contact us" messages. I am using form-maker lite.

I am using capcha but the contact emails seem to bypass this.

Not only do I receive a contact but immediately I receive a standard "mail undelivered" message from my mail server.

When I change the contact recipient I fix the challenge temporarily.

MY QUESTION/REQUEST IS: What are the standard checks I should do to resolve this?
Last edited by toivo on Mon Jul 08, 2019 12:06 pm, edited 1 time in total.
Reason: mod note: retitled, moved to 3.x Extensions

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 7896
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Checklist for contact page hack

Post by sozzled » Mon Jul 08, 2019 9:01 am

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
My contact email address is being spammed with false automated "contact us" messages. I am using form-maker lite.
That's fairly usual. If you have a publicly accessible contact form then you're sending an open invitation to anyone to abuse it.

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
I am using captcha but the contact emails seem to bypass this.
This is also fairly usual. Where did you read that CAPTCHA is a guaranteed protection from automated scripts? CAPTCHA may slow things down (a bit) but it's next-to-useless.

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
Not only do I receive a contact but immediately I receive a standard "mail undelivered" message from my mail server.
This is also quite normal. The automated script transmits a fake (or disposable) email address. What else would you expect?

JohnSmithers wrote:
Mon Jul 08, 2019 8:51 am
[My question is] what are the standard checks I should do to resolve this?
I don't use contact forms. That's my approach (and it works). For the most part, contact forms are a waste of time. However, if you really cannot live without a contact form on your website then the secret is to put a barrier between the public and the form. The easiest way to do that is to only allow registered users access to the contact form.

But, if you don't want to go to the trouble of restricting access to the contact form to registered users then you'll just have to live with the fact that there's no guaranteed way of preventing these forms as a source of spam. Best of luck. :)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

JohnSmithers
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 201
Joined: Mon Feb 11, 2013 9:22 am

Re: Checklist for contact page hack

Post by JohnSmithers » Mon Jul 08, 2019 9:11 am

Thanks for that. I am noticing that my first email address is still being spammed, so changing the recipient did not work.

Are there any links - or any advice - for why these automated scripts are getting through?

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 7896
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Checklist for contact page hack

Post by sozzled » Mon Jul 08, 2019 9:19 am

JohnSmithers wrote:
Mon Jul 08, 2019 9:11 am
Are there any links - or any advice - for why these automated scripts are getting through?
Well of course there are. All the information is available on (cue suspenseful mysterious music) ... the DARK WEB! *shudder*

To be totally honest with you (and, as I've written more times on this forum than I care to remember) most contact forms are a total and complete waste of time. I cannot remember anyone writing to me saying that they're generating income from their website through the use of public-facing contact forms. For those websites where there are contact forms, the information is often manually intercepted by staff members whose job is to pass-through the "legitimate" requests and trash the rubbish ones.

In conclusion, if you want to prevent the spam then you need to put up other barriers, such as requiring people to register as members of the website before they can use the contact form feature. That will reduce (but not eliminate) the spam. Or you can invest in sophisticated heuristic counter-spam mechanisms if you have the dough and the patience to learn them. It's your site, it's your business. Best of luck. :)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

JohnSmithers
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 201
Joined: Mon Feb 11, 2013 9:22 am

Re: Checklist for contact page hack using form maker lite

Post by JohnSmithers » Wed Aug 07, 2019 9:42 am

hmm. thanks for the response.

Got to be honest, as a small business I do get a lot of work through the contact form; maintaining teh simplest call to action I can. I know I'm put off dealing with a company when I first have to give email addresses etc to get a quote. Thinking on this I always thought they wanted my details, but I guess it is more to do spam protection (!)

Would be very useful for me to have some security links recognising what's going on, but again I guess once I know that the solutions you offer - such as the expensive heuristic option - is where I'd end up.

In short, thanks! :-)

PaulGee
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Mar 21, 2011 3:46 am
Location: Australia

Re: Checklist for contact page hack using form maker lite

Post by PaulGee » Fri Aug 16, 2019 6:28 am

Hi JohnSmithers,

Similar to sozzled, I also do not use contact forms on the majority of websites.
There is too much spam going around, too many spammers and it's too easy to spam generic contact forms.

I have a large number of web related email addresses and on a daily basis I receive emails similar to or in the same vein of the following:

From: ContactForm

Email: "redacted"
Phone: "redacted"

Subject: Mailing via the feedback form.

Message Body:
Good day!

We suggest
Sending your business proposition through the Contact us form which can be found on the sites in the contact section. Feedback forms are filled in by our software and the captcha is solved. The advantage of this method is that messages sent through feedback forms are whitelisted. This technique raise the probability that your message will be read.

Our database contains more than 25 million sites around the world to which we can send your message.

The cost of one million messages 49 USD

FREE TEST mailing of 50,000 messages to any country of your choice.

This message is automatically generated to use our contacts for communication.
Contact us.


As you can see, these spammers are canvassing for business and you can see one of the intents / methods of monetization of spam mail.
Notice how they claim that they use automated processes (software) to fill and send the forms and that they "solve" the captcha and also how many emails they can actually send.

People with little basic security knowledge would think that the above is a great deal.
Needless to say, if you responded to the above email you would end up on another of the spammers "active" lists :)

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 7896
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Checklist for contact page hack using form maker lite

Post by sozzled » Fri Aug 16, 2019 6:31 am

@PaulGee: Yep! 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

PaulGee
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Mar 21, 2011 3:46 am
Location: Australia

Re: Checklist for contact page hack using form maker lite

Post by PaulGee » Fri Aug 16, 2019 6:49 am

Hi JohnSmithers,

There is a possibility that the spam emails may not be actually being generated via "form-maker lite".

There has been a long standing issue with respect to the com_contact component being abused to send spam.
Please refer to this old topic...SPAM attack targeted to contact component... viewtopic.php?f=714&t=958667

If you are still having spam issues and if they are related to the abuse of the com_contact component, the temporary solution is in the above mentioned topic's thread.

Before instigating the temporary solution mentioned above, please be aware that in the Joomla 3.9.11 release update that there has been a security issue fix being "Low Priority - Core - Hardening com_contact contact form (affecting Joomla 1.6.2 through 3.9.10)".

I have personally not updated to Joomla 3.9.11 as yet and do not know if the fix in this version of Joomla has resolved the issue. If you are still having spam issues (related to the abuse of the com_contact component), update to Joomla 3.9.11 first and see if that resolves the issue.


The above is worth a try, in the event that the spammers are not CURRENTLY spamming via "form-maker lite".
If they are, you would need to look at other form builders that better sanitize inputs etc and as sozzled has mentioned utilize sophisticated heuristic counter-spam mechanisms.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 7896
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Checklist for contact page hack using form maker lite

Post by sozzled » Fri Aug 16, 2019 7:07 am

PaulGee wrote:
Fri Aug 16, 2019 6:49 am
I have personally not updated to Joomla 3.9.11 as yet and do not know if the fix in this version of Joomla has resolved the issue. If you are still having spam issues (related to the abuse of the com_contact component), update to Joomla 3.9.11 first and see if that resolves the issue.
Yes, I've seen you make that observation a few times today and I can't actually confirm the situation because the problem of spam generated from contact forms is not on my radar screen.

However, I've also seen several discussion topics on the forum recently where people have complained about nuisance/nonsense/spam emails they've received when they've used the Contacts component and each situation seems to be different from one another. For example, see viewtopic.php?f=714&t=958667 or viewtopic.php?f=714&t=972221.

As far as the changes made to J! 3.9.11 are concerned, see https://developer.joomla.org/security-c ... -form.html that discusses "incorrect access control" in disabled forms. So, no, it's not a cure-all for everything; it's a minor improvement that may affect a relatively small number of websites.

Next, I invite you to update to J! 3.9.11; it takes a few minutes to do this.

If we were to compile a "checklist" of what's involved with using contact forms, these would be the top five items on mine:
  1. Why?
  2. Who [by/for]?
  3. What [for]?
  4. Can it be done another way?
  5. Projected cost containment
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

PaulGee
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Mar 21, 2011 3:46 am
Location: Australia

Re: Checklist for contact page hack using form maker lite

Post by PaulGee » Fri Aug 16, 2019 10:12 am

@sozzled ... thank you for your thread

I will update all the Joomla sites from 3.9.10 to 3.9.11 in the next few days.
After a new Joomla update release, I usually wait up to a week before updating in the event that there bugs/glitches in the update . There have been occasions where a secondary update fixing the bugs/glitches was released a few days later. Additionally a Joomla update is usually followed (within a few days) by extension updates such as JCE. Waiting up to a week saves time and effort.

Looking in the forum at many of the spam issues, seems to point at the abuse of the com_contact component in different forms/fashions as the common denominator, even though the ops seem to be reporting different scenarios.

If you look back at my original 2# threads on viewtopic.php?f=714&t=958667 you will see that I mention that the spam occurred irregardless of whether forms were enabled or disabled and irregardless of other contact type settings. The only thing that stopped the spam was the disabling of the Component "Contacts" via: Joomla Control Panel >> Extensions >> Manage >> Manage >> "search for Contacts" >> "disable Contacts (type Component).

The spammers have become familiar with the ability to abuse the com_contact component to easily send spam mail.
As an aside, I have even checked in the "redirect" component (on sites where the com_contact component has been disabled) and noticed 404 entries from spammers still trying to access via the com_contact component.

I take on-board your comment "As far as the changes made to J! 3.9.11 are concerned, see https://developer.joomla.org/security-c ... -form.html that discusses "incorrect access control" in disabled forms. So, no, it's not a cure-all for everything; it's a minor improvement that may affect a relatively small number of websites."
I will try, if time permits, to have an in-depth look at the changes, as to whether the com_contact component can still be abused to send mail with the forms disabled (as has currently been the case).

In my original threads in April 2018 & September 2018, I advised of the above ability and also advised that many ops would not be aware that the com_contact component could be abused to send mail even when the "disabled" forms were not being used or displayed.
The same would apply, even when using another form builder in lieu of the Joomla "contact form" such as the op above using "form-maker lite", with the com_contact component enabled.

In my original threads I actually recommended that thought be given to disabling the com_contact component "by default" with warnings on activation.

It would make sense that anyone having significant spam issues should look at and eliminate the above as a possible cause for that spam first. It would take only a few minutes to disable the com_contact component and then see if the spam stops shortly thereafter.

I am like minded with you as to the non-necessity in the use contact forms on websites.
I generally avoid using them wherever I can and actively try to discourage others from using them as well.
I will only use them when a client strenuously insists, but only after warning them of the consequences of "mass spam mail". In these cases I also insist on a totally separate server and IP address for that Joomla website installation, so that any penalties remain confined to that IP and server.

jeffhoneyager
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Fri Dec 16, 2005 12:16 am
Location: Michigan
Contact:

Re: Checklist for contact page hack using form maker lite

Post by jeffhoneyager » Wed Aug 21, 2019 3:59 pm

Another way to disable it is via phpMyAdmin.

- view the extensions table
- edit com_contact
- change enabled to "0", change access to "0" and Protected to "0"
com_contact-phpmyadmin-change.png
You do not have the required permissions to view the files attached to this post.
Peace & Joy, Jeff Honeyager
http://ExpertWebProfessionals.com
http://Jeff.honeyager.com
"Test Everything, Hold On To The Good."


Post Reply

Return to “Extensions for Joomla! 3.x”