:: Forums ⇒

Spam being sent from my domain - is it DragonFly?

#1: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 9:10 pm
----
I am suddenly receiving 50-60 emails bounced back to me per hour from my domain where I have DragonFly hosted. My host support (Site5) is telling me it is a script on my index.html page that has a security hole. They think it is the 'send to a friend' link being used.

Here is the reply from my host:

Quote::

X-PHP-Script: www.chantillyexpat.com/index.php for 200.177.228.4

I have checked this site and it looks like you have "send to a friend"
links on your articles. It appears that this is being abused to send out a large amount of messages. Are all of the bouncebacks trying to be sent to marketingexpert @ krim.ws or are they to random email addresses? Thanks. Here are the logs of the message being sent from the server:

2009-12-23 13:45:44 1NNX9O-00086Z-NN <= chantill @ milton.site5.com U=chantill P=local S=1064 id=0aebd4e2c99732724736ca7e14443728@www.chantillyexpat.com
2009-12-23 13:45:46 1NNX9O-00086Z-NN ** marketingexpert @ krim.ws R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<marketingexpert@krim.ws>: host mx1.hqhost.net
[88.214.192.192]: 550 5.1.1 <marketingexpert@krim.ws>... User unknown
2009-12-23 13:45:46 1NNX9W-000888-Eo <= <> R=1NNX9O-00086Z-NN U=mailnull P=local S=2052
2009-12-23 13:45:47 1NNX9O-00086Z-NN Completed

He also said:

Quote::

The spam is definitely originating from the script running on your site at index.php. It is possible that there is a security hole in the application that is allowing remote users to send spam. I would suggest updating the script and any plug-ins/modules to the latest versions.

Any ideas?

#2: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 9:27 pm
----
can you send me a copy of you index.php? pm it do not post it in the forums.

and i can see all your debug info which should only be seen by admin !!!
error in template.

#3: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 9:31 pm
----
done

#4: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 9:45 pm
----
disable the Tell a friend module until you can put captcha in it or set it to registered users only. index.php is fine at least i didn't see anything out of sorts.

Send to a friend in news to

#5: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 9:47 pm
----
My Tell a Friend has captcha already. I presume I need to remove the link to 'send to a friend' from the articles?

My host has blocked the IP address that was sending these emails and I've done the same in DF. Is there anything else I can do?

#6: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 9:48 pm
----
Send to a friend in the news

there not stupid spammers i mean they use proxy or zombies.

#7: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 9:51 pm
----
send me your_theme/templates/ footer.html to so i can fix the bottom.

#8: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 9:51 pm
----
SO I need to edit some file to stop the send to a friend link?

#9: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 9:52 pm
----
or add captcha to it im not sure how to add the captcha but you could comment out the send a friend links

What theme are you using?

#10: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 10:08 pm
----
I've removed the link from the template file for now. No idea how to add a captcha to it. This seems a pretty serious hole!

#11: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Wed Dec 23, 2009 10:10 pm
----
I've pm'd you my footer too. What's up with that??

#12: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Wed Dec 23, 2009 10:57 pm
----
all the debug info at bottom should only be seen by admin not everyone
fixed and sent back
I think there is a thread running around here that shows how to add captcha.

#13: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Thu Dec 24, 2009 9:49 am
----
Thanks Diz.. I've removed the link to send a friend and renamed the friend.php file but I am still getting bounced back messages - 150 overnight so I dread to think how many got through...

What else can I do?

#14: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Thu Dec 24, 2009 3:37 pm
----
You removed the ability to tell a friend. All you really can do now is figure out how to add captcha. this thread might help you dragonflycms.org/Forum...t=captcha/

#15: Re: Spam being sent from my domain - is it DragonFly? Author: NanoCaiordo, Location: Melbourne, AU

Posted: Sat Dec 26, 2009 5:43 am
----
PHP installed on your server its already patched with php mail headers but its not picking up the correct file.

Quote::

X-PHP-Script: www.chantillyexpat.com/index.php for 200.177.228.4

Try to use the attached includes/classes/phpmailer.php at least you will know which file is actually been abused.

This file will be included in 9.2 and 10.

#16: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Sat Dec 26, 2009 10:40 am
----
Thanks Nano, nothing attached - can I use the file from CVS? Will those close the 'hole' my host was referring to?

#17: Re: Spam being sent from my domain - is it DragonFly? Author: NanoCaiordo, Location: Melbourne, AU

Posted: Sun Dec 27, 2009 2:54 am
----
You should now be able to download the file.

No, it wont get rid of the problem.
It will include a custom header in all outgoing emails
"X-DF-MailerSRC: FileUsedToSendMail for IpAddress"

When u receive a bounced email, check for this header in the mail message source and you will know which file is abused.
No need to guess anymore. Straight to the source of the issue.

At this stage you will know what you need to disable/change.

#18: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Sun Dec 27, 2009 8:51 am
----
Thanks Nano - I'll keep an eye. My host banned the IP that 'appeared' to be sending the emails (and the email adresses got all the way to az**@*.*) and they appear to have stopped for now.

#19: Re: Spam being sent from my domain - is it DragonFly? Author: Dizfunkshunal,

Posted: Sun Dec 27, 2009 3:48 pm
----
they have stopped lol because you removed the Tell a friend option.

#20: Re: Spam being sent from my domain - is it DragonFly? Author: NanoCaiordo, Location: Melbourne, AU

Posted: Mon Dec 28, 2009 2:29 am
----
They have stopped because you removed Tell a Friend module and or the IP was banned but the patch will still help you in case some other module use a similar function.

#21: Re: Spam being sent from my domain - is it DragonFly? Author: macavity,

Posted: Sat Jan 23, 2010 10:10 pm
----
rosbif,

Just came across this thread. I encountered exactly the same problem on the 17th of December (disabled the module to deal with at that time). Interestingly the site in question was very much along the same lines as yours as far as subject matter is concerned - just a coincidence I guess!

#22: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Tue Jan 26, 2010 8:26 am
----
Could be - seemed like a determined attack to me at the time!

#23: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Sun May 09, 2010 1:15 pm
----
I've started getting attacked again - having added the line to my phpmailer page the offending page that is being targetted is /home/chantill/public_html/modules/Downloads/include/friend.inc

I'm going to try and add a captcha to that page or change it to registered users only to try and shore it up. To be honest I think every link like this should be plugged or selectable in config..

#24: Re: Spam being sent from my domain - is it DragonFly? Author: macavity,

Posted: Sun May 09, 2010 1:20 pm
----
Sorry to hear that. If/when I bring ours back online I think it definitely has to befor registered users only - hope that works for you.

#25: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Sun May 09, 2010 1:54 pm
----
I've added the following lines to the preview and submit functions in friend.inc

Code::

if (!is_user()) { $error = 'Sorry, this function is for registered users only'; }

and I've changed the form at the bottom to this:

Code::

       <input type="hidden" name="id" value="'.$friend_id.'" />';

	   if (is_user()) { echo '<input type="submit" name="preview_message" value="'._PREVIEW.'" /> <input type="submit" name="send_message" value="'._SUBMIT.'" />';
		} else {
			echo 'Please log in to use this feature';
			}
			
       echo '</form>';

Think that should be sufficient. I should really make it multilingual and/or not display the tell a friend link if not logged in but I can't find where to add that bit!

#26: Re: Spam being sent from my domain - is it DragonFly? Author: rosbif, Location: Paris, France

Posted: Sun May 09, 2010 1:58 pm
----
The IP address showing up is 112.202.212.250 so I am going to block that too.

#27: Re: Spam being sent from my domain - is it DragonFly? Author: macavity,

Posted: Sun May 09, 2010 2:32 pm
----
Thanks for sharing that info - I'll make a note.

-> Security

All times are GMT

Page 1 of 1