awisdoms Posted September 14, 2005 Author Share Posted September 14, 2005 Yes I am I actually just got these two a few minutes ago. I'll post one of them. I did notice now it shows the IP. Return-path: <[email protected]> Envelope-to: [email protected] Delivery-date: Wed, 14 Sep 2005 12:09:37 -0400 Received: from esarnia7 by aquarius.addaction.net with local-bsmtp (Exim 4.44) id 1EFZpJ-0007eW-7l for [email protected]; Wed, 14 Sep 2005 12:09:37 -0400 Received: from esarnia7 by aquarius.addaction.net with local (Exim 4.44) id 1EFZpJ-0007eS-5y for [email protected]; Wed, 14 Sep 2005 12:09:37 -0400 To: "Ancient Wisdoms" <[email protected]> Subject: Enquiry from Ancient Wisdoms From: "[email protected] multipart/mixed; boundary="===============1014254678==" MIME-Version: 1.0 Subject: f9a07651 To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============1014254678== text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit mttzcgryiu --===============1014254678==--" <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <[email protected]> Date: Wed, 14 Sep 2005 12:09:37 -0400 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on aquarius.addaction.net X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=ALL_TRUSTED, FROM_ENDS_IN_NUMS autolearn=ham version=3.0.4 [email protected] IP: 212.219.250.34 Link to comment Share on other sites More sharing options...
crashwave Posted September 15, 2005 Share Posted September 15, 2005 Image security code "Visual Verify Code " SHOULD work. I don't understand why you say it doesn't. Something must be wrong in your script. Those really do work on all sites I'v seen them on. Unless bots have figured a way around them q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| ) Link to comment Share on other sites More sharing options...
AlanR Posted September 15, 2005 Share Posted September 15, 2005 Image security code "Visual Verify Code " SHOULD work. I don't understand why you say it doesn't. Something must be wrong in your script.Those really do work on all sites I'v seen them on. Unless bots have figured a way around them <{POST_SNAPBACK}> Who's saying it doesn't? I personally don't much like them so that would be my last choice. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
spiff06 Posted September 15, 2005 Share Posted September 15, 2005 you installed the vvc contribution and you still getting spam? I really would like to know this. <{POST_SNAPBACK}> Yes, the VVC seems to be bypassed in some cases. I've applied every fix from here (except for the "validate string" thingy), and the visual verification code bit, yet spam is still coming in. On the up side, only one out of three spam attempts succeed. Link to comment Share on other sites More sharing options...
spiff06 Posted September 15, 2005 Share Posted September 15, 2005 By the way: _SERVER['HTTP_REFERER'] for all spambot attacks is set to catalog root, instead of /contact_us.php. A bot entry looks like this: HTTP_REFERER: http://(osc root)/ REQUEST_URI: /contact_us.php?action=send&osCsid=cfaff5b0cb4f98bba7225a380269f17b A valid request looks like this: HTTP_REFERER: http://(site root)/contact_us.php?osCsid=981e35b805a0e2f4c3f6222b63cb25f4 REQUEST_URI: /contact_us.php?action=send A check to assert that the send request actually comes from the contact page would help, something like: if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && preg_match('/^\/contact_us\.php/',$_SERVER['HTTP_REFERER'])) { (UNTESTED) Link to comment Share on other sites More sharing options...
spiff06 Posted September 15, 2005 Share Posted September 15, 2005 Yes, the VVC seems to be bypassed in some cases. I've applied every fix from here (except for the "validate string" thingy), and the visual verification code bit, yet spam is still coming in. Scratch that. I looked at the code again, and it turns out I misplaced a bit of code in contact_us.php that effectively made the patch useless (it verified the captcha after sending the mail, har har har). Link to comment Share on other sites More sharing options...
Jeremy at oddly enough Posted September 18, 2005 Share Posted September 18, 2005 I'll add a note here about blocking IP's. It is quite simple with htaccess, just use the following code, edited for the proper IP: <Limit GET> order deny,allow deny from 69.60.119.87 </Limit> How do you know which IP to block? I have a visitor stats contrib installed that records all visitors, and a bunch of info on them, including IP, date and time, and pages visited. Reviewing the data, using the time and date from some spam samples, I found the IP in the code was often at the site around that time, visiting the contact_us.php page. It's been a day so far, and so far so good, we'll see how long it lasts. Jeremy Link to comment Share on other sites More sharing options...
Guest Posted September 18, 2005 Share Posted September 18, 2005 hi jeremy, there is another contrib that if combined with the vvc one, on detection of foul play it updates the .htaccess automatically. See my post on this thread on the first page. Link to comment Share on other sites More sharing options...
crashwave Posted September 18, 2005 Share Posted September 18, 2005 Yes, the VVC seems to be bypassed in some cases. I've applied every fix from here (except for the "validate string" thingy), and the visual verification code bit, yet spam is still coming in. And what's wrong with the "validate string" thingy. :P Works for me and other who use it. Like I said I got it off the php.net site and it is used by other people not just for osc. q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| ) Link to comment Share on other sites More sharing options...
Guest Posted September 18, 2005 Share Posted September 18, 2005 And what's wrong with the "validate string" thingy.? Note that they can keep retrying & running scripts on your forms and eventually they will figure something else out. So better ban them the first time you detect something bad. Link to comment Share on other sites More sharing options...
spiff06 Posted September 20, 2005 Share Posted September 20, 2005 Didn't mean to put down anyone's work, far from it! The usefulness of the "validate string" function, and the exact location of it in the code, weren't immediately evident to me at the time, so I didn't put it in. It seems to me that the checks for newlines handles the problem appropriately, but there certainly isn't any harm in preventing needless characters from being entered to get rid of the vulnerability entirely. The good thing is, no spam gets through from the bot any more, which is a relief. Link to comment Share on other sites More sharing options...
sabra Posted September 20, 2005 Share Posted September 20, 2005 I have been reading this string of replies and questions. I keep receiving emails from mailer daemon@(differentdomainnames).com to (a random string of characters)@(mydomainname).com that the following emails could not be delivered. It's obvious by the failed email addresses that it is being generated by a program, from your replies I'm assuming that's called a bot. I asked the guy that "created" or built our osCommerce site about it and he just blew it off saying that anyone can send you an email from anyone. He said that it is illegal, but they can do it. He then proceeded to send me an email that was from [email protected]. How can I tell if it is coming from the contact_php or from just someone scanning for domain names? Thanks for your help. I'm a noobie premie. (I have been brought into the world of osCommerce before I was completely developed). :'( Link to comment Share on other sites More sharing options...
Guest Posted September 20, 2005 Share Posted September 20, 2005 you can only tell from the email headers. One other thing that could protect your email addresses posted on your pages from farming (like about us) would be to have a jscript that composes the email section address fields and displays it only when it runs Therefore SEO would never see the email address since jscript is disabled when they scan. here is a simple function for it: function MailSite(userName, userMail) { document.write('<a href="' + 'mailto:' + userMail + '@' + 'yourdomain' + '.' + 'com' + '">' + userName + '</a>'); } then in the html body you call it: <script language="JavaScript" type="text/JavaScript"> MailSite("Your shop deparment","emailname"); </script> of course bots can also use the whois to grab your email. Link to comment Share on other sites More sharing options...
Marc_J Posted September 21, 2005 Share Posted September 21, 2005 OK, I've just read through this whole topic and have a few questions: - Is there a definitive answer? Does the Validate Input contrib work? To allow for different languages, special characters etc., wouldn't it be better to check for disallowed characters (if I'm correct - CR's and new lines etc.), rather than a huge list of what's allowed? What pages are affected? Just the contact_us.php? What about tell_a_friend.php? Any others? I think this is going to be a BIG problem, I have php contact forms on other (non osC) sites and these spammers are scanning everywhere for this header injection exploit. osC contact forms are very easy to find on an un-modded installation. Link to comment Share on other sites More sharing options...
wheeloftime Posted September 21, 2005 Share Posted September 21, 2005 OK, I've just read through this whole topic and have a few questions: - Is there a definitive answer? Does the Validate Input contrib work? To allow for different languages, special characters etc., wouldn't it be better to check for disallowed characters (if I'm correct - CR's and new lines etc.), rather than a huge list of what's allowed? What pages are affected? Just the contact_us.php? What about tell_a_friend.php? Any others? I think this is going to be a BIG problem, I have php contact forms on other (non osC) sites and these spammers are scanning everywhere for this header injection exploit. osC contact forms are very easy to find on an un-modded installation. <{POST_SNAPBACK}> Don't know if it is definitive but since I applied the two changes suggested by user "Dave with the many 9's" I have not received a single spam anymore through my contact us page (the fix for the textarea field in post #21 and the one from post #41 for the tep_mail function). Link to comment Share on other sites More sharing options...
Marc_J Posted September 21, 2005 Share Posted September 21, 2005 Don't know if it is definitive but since I applied the two changes suggested by user "Dave with the many 9's" I have not received a single spam anymore through my contact us page (the fix for the textarea field in post #21 and the one from post #41 for the tep_mail function). <{POST_SNAPBACK}> Thanks, I'll give them a go.... Next question - is there a test to see if it works? I realise it's not a good idea to post the method to exploit the forms....but please PM me if you know! Using a stock osC installation I can't spam myself from my site, so I'm probably doing it wrong! I haven't received any actual spam yet through my store, but I imagine it's just a matter of time...and better to be proactive rather than reactive, I say :) Link to comment Share on other sites More sharing options...
spiff06 Posted September 21, 2005 Share Posted September 21, 2005 Is there a definitive answer? The fixes indicated at http://www.oscommerce.com/community/contributions,3534 work for me, and concerned, compassionate developers are updating them as needed. Sanitizing input and cleaning variables as explained in this file *should* do the trick. What pages are affected? Just the contact_us.php? What about tell_a_friend.php? Any others? contact_us, tell_a_friend, product_reviews_write, login, there could be more but these are the obvious ones. I think this is going to be a BIG problem, I have php contact forms on other (non osC) sites and these spammers are scanning everywhere for this header injection exploit. osC contact forms are very easy to find on an un-modded installation. <{POST_SNAPBACK}> It is a big, recurring, problem. The vulnerability is due to poor security code in the affected osC versions; any other code you have that fails to sanitize variables fed into a mail() call, is an open invitation to use your server as a spam relay. Developers of well-maintained software packages usually take necessary steps as soon as a vulnerability is discovered, so you need to check with every software you have installed on your server to make sure you have the latest versions installed and scripts are up to par on security. For the present case, the fixes indicated in this thread, and collated in the comprehensive fix, have effectively prevented the bot from operating on my server. Link to comment Share on other sites More sharing options...
spiff06 Posted September 21, 2005 Share Posted September 21, 2005 How can I tell if it is coming from the contact_php or from just someone scanning for domain names? <{POST_SNAPBACK}> Ideally, you'd need to have access to server logs and trace back messages according to the message ID. In our case, the bot doesn't mask the X-Mailer header; if you look at a spam message's header and see "X-Mailer: osCommerce Mailer", then your osCommerce site is indeed the culprit and you should ask your webmaster to apply the fix ASAP. Link to comment Share on other sites More sharing options...
Marc_J Posted September 21, 2005 Share Posted September 21, 2005 Thanks Eric. You seem to know a lot on the subject - fancy PMing me instruction how to test? I want to test my store forms before I apply fix(es), and after. Link to comment Share on other sites More sharing options...
spiff06 Posted September 21, 2005 Share Posted September 21, 2005 Thanks Eric. You seem to know a lot on the subject - fancy PMing me instruction how to test? I want to test my store forms before I apply fix(es), and after. <{POST_SNAPBACK}> I'm more knowledgeable than you by a mere couple of weeks, which isn't much. And I did set up my first osCommerce site this summer, which was quite a pain compared to the modular CMS I'm used to, such as Xoops and WordPress. For testing purposes, what I did was send myself an informative message upon every contact request, like so: if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) { /*** send admin a trace ***/ $trace = "IP:".$_SERVER['REMOTE_ADDR'] ."\nREFERER:".$_SERVER['HTTP_REFERER'] ."\nURI:".$_SERVER['REQUEST_URI']."\n\n\n"; foreach($_POST as $key=>$value) { $trace .= "$key: $value\n\n"; } foreach($_GET as $key=>$value) { $trace .= "$key: $value\n\n"; } tep_mail('me', '[email protected]', 'spam trace', $trace, 'osC admin', '[email protected]'); /*** end trace ***/ Whenever a contact request came in, I was notified at [email protected] with a message containing all POST and GET variables in the message body. Once the fixes were in place, I continued to be notified of spambots when they came in, but they no longer reached the contact email box. Comment out the code when the spam problem is resolved. Link to comment Share on other sites More sharing options...
Marc_J Posted September 21, 2005 Share Posted September 21, 2005 Whenever a contact request came in, I was notified at [email protected] with a message containing all POST and GET variables in the message body.? Once the fixes were in place, I continued to be notified of spambots when they came in, but they no longer reached the contact email box. Comment out the code when the spam problem is resolved. <{POST_SNAPBACK}> Thanks, but I don't actually have any spam coming in, in fact the osC store I'm working on isn't even public yet. I already get the emails sent through the contact us page, as the recipient email address is mine. What I want to do is recreate what a spammer will do through my form, myself, so I can see for myself the problem, and also make sure it's resolved once I apply the fix(es). So basically all I want to know is what to put in the contact_us page's "Your Name", "Your E-Mail Address" and "Message" boxes (as a visitor to the site) to recreate the problem we're trying to solve. This might be a stupid question, but as I said earlier I've tried, and failed! Link to comment Share on other sites More sharing options...
spiff06 Posted September 21, 2005 Share Posted September 21, 2005 Thanks, but I don't actually have any spam coming in, in fact the osC store I'm working on isn't even public yet. I already get the emails sent through the contact us page, as the recipient email address is mine. What I want to do is recreate what a spammer will do through my form, myself, so I can see for myself the problem, and also make sure it's resolved once I apply the fix(es). So basically all I want to know is what to put in the contact_us page's "Your Name", "Your E-Mail Address" and "Message" boxes (as a visitor to the site) to recreate the problem we're trying to solve. This might be a stupid question, but as I said earlier I've tried, and failed! <{POST_SNAPBACK}> Ah well, just look up this thread to usermanynines' entries, such as this one or that one. The latter is probably what you want. Link to comment Share on other sites More sharing options...
Marc_J Posted September 21, 2005 Share Posted September 21, 2005 Ah well, just look up this thread to usermanynines' entries, such as this one or that one. The latter is probably what you want. <{POST_SNAPBACK}> Thanks! I didn't realise that this: - http://demo.oscommerce.com/contact_us.php?email=******@gmail.com&enquiry=Spam...%3C/textarea%3EFull Name:%3Ctextarea name=name wrap=soft cols=50 rows=15%3E******@gmail.com%0ATo: ******@gmail.com%0Abcc: ******@gmail.com%0AFrom: ******@gmail.com%0A%3C/textarea%3E Went into the address bar - interesting results! Now to close that door....:) Link to comment Share on other sites More sharing options...
sabra Posted September 22, 2005 Share Posted September 22, 2005 Hey, I wasn't sure where to put this, but this is the information I received when I did an IP address search for someone using our domain name to send spam. Is there anywhere that I can send that to so they may possibly be stopped? In the returned mail to me from [email protected] that was the from IP. Actually, the whole "from" was: dsl-201-155-244-207.prod-empresarial.com.mx "Search ARIN WHOIS for: 201.155.244.207 OrgName: Latin American and Caribbean IP address Regional Registry OrgID: LACNIC Address: Potosi 1517 City: Montevideo StateProv: PostalCode: 11500 Country: UY ReferralServer: whois://whois.lacnic.net NetRange: 201.0.0.0 - 201.255.255.255 CIDR: 201.0.0.0/8 NetName: LACNIC-201 NetHandle: NET-201-0-0-0-1 Parent: NetType: Allocated to LACNIC NameServer: NS.LACNIC.NET NameServer: NS2.DNS.BR NameServer: TINNIE.ARIN.NET NameServer: NS-SEC.RIPE.NET NameServer: SEC3.APNIC.NET Comment: This IP address range is under LACNIC responsibility Comment: for further allocations to users in LACNIC region. Comment: Please see http://www.lacnic.net/ for further details, Comment: or check the WHOIS server located at whois.lacnic.net RegDate: 2003-04-03 Updated: 2004-03-18 OrgTechHandle: LACNIC-ARIN OrgTechName: LACNIC Whois Info OrgTechPhone: (+55) 11 5509-3522 OrgTechEmail: [email protected] # ARIN WHOIS database, last updated 2005-09-21 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database." Any help is appreciated. Thanks, Sabra Link to comment Share on other sites More sharing options...
bussieblues Posted September 22, 2005 Share Posted September 22, 2005 Do a serach on: http://lacnic.net/en/ for the IP and Try the [email protected] nic-hdl: SRU person: SEGURIDAD DE RED UNINET e-mail: [email protected] address: PERIFERICO SUR, 3190, ALVARO OBREG address: 01900 - MEXICO - DF country: MX phone: +52 55 52237234 [] created: 20030701 changed: 20030703 Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.