Zuncan Posted September 5, 2005 Posted September 5, 2005 Hi! Saw this morning that someone is using my site to send spamemails. I also noticed that Im not alone.. But it seem like there is many different solutions to fix this. Can someone pls tell me to fix this the proper way? Maybe a proper contribution for this issue? The spammail I got looks like this: [email protected] Content-Type: multipart/mixed; boundary="===============0302808415==" MIME-Version: 1.0 Subject: fc78ab94 To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============0302808415== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit egbmzocuww --===============0302808415==-- So what?! Who care in a hundred years anyway?
Guest Posted September 5, 2005 Posted September 5, 2005 could be your version of php, your site security, etc. how do you know they are actually using your site to do this?
Zuncan Posted September 5, 2005 Author Posted September 5, 2005 I dont know actually. My admin is password and SSL protected. I guess there is some kinda harvesting hackerprogram in action here since there are more that me that has exactly the same problem. bcc: [email protected] has been seen from others with a osC site as well So what?! Who care in a hundred years anyway?
Zuncan Posted September 5, 2005 Author Posted September 5, 2005 They are maybe using some kinda way to send mails from my domain, but not straight from my site. Im a kinda noobie with php and so on so a proper contribution for this issue would be more that appriciated.. So what?! Who care in a hundred years anyway?
Guest Posted September 5, 2005 Posted September 5, 2005 see if this could possibly be it: http://www.oscommerce.com/community/bugs,2...arch,contact+us
Zuncan Posted September 5, 2005 Author Posted September 5, 2005 Yeah that seems to be what Im after, but as I said.. dont really know what it means. "adding strip_tags in front of the stripslashes on line 222, and also adding strip_tags to line 224 just for the heck of it, the problem is solved" What is strip_tags? What is stripslashes? Not so good with english you see.. So what?! Who care in a hundred years anyway?
Wendy James Posted September 5, 2005 Posted September 5, 2005 Are you sure the emails are actually coming from your site? Do you have a way of tracking it? Lots of people out there know how to send emails that look like they are coming from someone else. Heck, one day I even got spam mail coming from my own personal email address. All they need to know is a domain name really. Guesswork does the rest. Wendy James Creativity is allowing yourself to make mistakes. Art is knowing which ones to keep.
Darklings Posted September 5, 2005 Posted September 5, 2005 Are you sure the emails are actually coming from your site? Do you have a way of tracking it? Lots of people out there know how to send emails that look like they are coming from someone else. Heck, one day I even got spam mail coming from my own personal email address. All they need to know is a domain name really. Guesswork does the rest. <{POST_SNAPBACK}> They are send by the contact_us page - check this topic: http://www.oscommerce.com/forums/index.php?showtopic=167860 Kind regards Tom Even in this dark place, yes, I am afraid of my own shadow. Contributions | KnowledgeBase | osCommerce 2.2 pdf
Cowzor Posted September 5, 2005 Posted September 5, 2005 At some point on the contact us page, in one of the fields, the person attempting to abuse the Contus Us page will insert code into the fields which are intended to be used for the senders email address. Instead they are inserting the code for new lines into those fields, where they can insert more recipients (the people they are spamming) The problem seems to be that OScommerce doesn't (as far as I know) check that those fields don't have any malicious code in it before it unwittingly sends out the spam emails, which in turn look like they have come from the victims domain
Zuncan Posted September 5, 2005 Author Posted September 5, 2005 I would be great with a contribution that contains all the needed updates to secure osC 2.2. A contribution that tells what code to replace with what and so on. It seems like a needed thing since there seems to be 30 different suggestions in how to protect myself from spam. So what?! Who care in a hundred years anyway?
♥Vger Posted September 5, 2005 Posted September 5, 2005 I regularly get e-mails which are spam - allegedly sent by either bogus e-mail addresses on domains I manage, or else from real e-mail addresses on domains I manage. Not one of them actually is routed through any of those domains. When you get the e-mail you need to right-click, select Options, and view the Header File (Message Source Code), and in particular the IP addresses listed there. More likely than not your e-mail addresses are being spoofed, and this is made worse by stupid automated MAILER_DAEMONS set up by system administrators returning mail to addresses which never sent the mail in the first place, or which do not even exist. So, before everyone here gets their knickers in a twist it would be a wise move to know how to read Full Headers from e-mails and to use the various registrars to track down IP addresses to their source. Vger
Pipey Posted September 6, 2005 Posted September 6, 2005 HI, I have applied 2 of the fixes suggested in this thread and this morning I received yet another pair of mysterious e-mails, coming from my site. I had fixed both the contact_us.php and html_output.php pages. Here is what I got this morning. Any further advice? [email protected] Content-Type: multipart/mixed; boundary="===============0026077618==" MIME-Version: 1.0 Subject: eab2c571 To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============0026077618== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit hubknpdod --===============0026077618==-- and... lroqhymmuv --===============2058851822==--" <[email protected]> To: <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_2074c080490b80c3f2aec8b2bfb63e2b" --=_2074c080490b80c3f2aec8b2bfb63e2b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit [email protected] --=_2074c080490b80c3f2aec8b2bfb63e2b Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [email protected] --=_2074c080490b80c3f2aec8b2bfb63e2b--
Darklings Posted September 6, 2005 Posted September 6, 2005 I had it to after the fixes - but the fact all that info is in your email (instead of in the header) points out it succeeded. If my guesses are right - i would say - there are progrems out there scanning sites for this error... they just keep trying, (thats why i get ip's on my 'visitor stats contrib in admin' with only one click, directly to the contact_us.php page) and send a bbc to the hackers 'fake' email (a free one set up at aol) then he/she knows your site has a bug. As long as all ends up in the body - theres no 'real' problem.. besides you getting spammed by automated programs trying... Only thing to prevent this is using a visual verify code contributie... (search in contribs.) Kind Regards, tom Even in this dark place, yes, I am afraid of my own shadow. Contributions | KnowledgeBase | osCommerce 2.2 pdf
user99999999 Posted September 6, 2005 Posted September 6, 2005 These bots are posting every field on any form not just the name field and not just OSC. The contact_us will get three posts trying the injection code in all three fields. $name <-injection posible $email_address <- invalid email address $enquiry <- raw injection code to site admin The mail like this is the injection [email protected] Content-Type: multipart/mixed; boundary="===============0026077618==" MIME-Version: 1.0 Subject: eab2c571 To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============0026077618== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit hubknpdod --===============0026077618==-- If you also receive a mail in your catch all account [email protected] then you need to fix it because these below were injected and sent. To: [email protected] bcc: [email protected] The successful mail looks like this the MIME headers were broke but it did send the mail. lroqhymmuv <--- junk here on top instead of in the content --===============2058851822==--" <[email protected]> To: <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_2074c080490b80c3f2aec8b2bfb63e2b" --=_2074c080490b80c3f2aec8b2bfb63e2b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit [email protected] --=_2074c080490b80c3f2aec8b2bfb63e2b Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [email protected] --=_2074c080490b80c3f2aec8b2bfb63e2b-- contact_us.php and tell_a_friend.php are most vulnerable but all mail sending new accounts, orders, etc could be attacked. A method to fix it. This fix doesnt send any mail with 'Content-Type:' in any field as well as remove newlines from the three header fields that can be supplied by the user. catalog/includes/functions/general.php function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); Some of the bots doing it. [email protected] 30,500 [email protected] 19,400 [email protected] 7,560 [email protected] 264
Zuncan Posted September 7, 2005 Author Posted September 7, 2005 Would be nice if someone that is really into this problem could post a list of changes that needs to be made to prevent this as good as posible. Like: in contact_us.php find code: xxxx Replace with: xxxxxxxxx and so on... I and many others would appriciate it very much So what?! Who care in a hundred years anyway?
user99999999 Posted September 7, 2005 Posted September 7, 2005 Would be nice if someone that is really into this problem could post a list of changes that needs to be made to prevent this as good as posible. Like: in contact_us.php find code: xxxx Replace with: xxxxxxxxx and so on... I and many others would appriciate it very much <{POST_SNAPBACK}> catalog/includes/functions/general.php Find this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; Change it this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);
Zuncan Posted September 7, 2005 Author Posted September 7, 2005 Thx very much! But I?ve also read that there is more things you can do to prevent spam. Would be even nicer with a complete list of all the good changes. So what?! Who care in a hundred years anyway?
YoungBlood Posted September 7, 2005 Posted September 7, 2005 Added code, no problem. Thanks Dave! catalog/includes/functions/general.php Find this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { ? if (SEND_EMAILS != 'true') return false; Change it this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { ? if (SEND_EMAILS != 'true') return false; ? //Dont send any injection type mails. ? if (eregi('Content-Type:', $to_name)) return false; ? if (eregi('Content-Type:', $email_subject)) return false; ? if (eregi('Content-Type:', $from_email_name)) return false; ? if (eregi('Content-Type:', $email_text)) return false; ? //Remove any newline and anything after it on the header fields of the mail. ? //$to_email_address and $from_email_address are checked with tep_validate_email(). ? $to_name = preg_replace('/[\n|\r].*/', '', $to_name); ? $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); ? $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); <{POST_SNAPBACK}>
crashwave Posted September 7, 2005 Posted September 7, 2005 http://www.oscommerce.com/forums/index.php?showtopic=162664&st=0 http://www.oscommerce.com/community/contributions,3509/ http://www.oscommerce.com/community/contributions,2976 q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
Guest Posted September 10, 2005 Posted September 10, 2005 This is unfortunately returning an error message as follows: Parse error: parse error, unexpected T_IF in /home/anne001/public_html/includes/functions/general.php on line 963 My editor shows line 963 as being: 962 //Dont send any injection type mails 963 ? if (eregi('Content-Type:', $to_name)) return false; 964 ? if (eregi('Content-Type:', $email_subject)) return false; 965 ? if (eregi('Content-Type:', $from_email_name)) return false; 966 ? if (eregi('Content-Type:', $email_text)) return false; 967 Thanks for bearing with my ignorance. catalog/includes/functions/general.php Find this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { ? if (SEND_EMAILS != 'true') return false; Change it this function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { ? if (SEND_EMAILS != 'true') return false; ? //Dont send any injection type mails. ? if (eregi('Content-Type:', $to_name)) return false; ? if (eregi('Content-Type:', $email_subject)) return false; ? if (eregi('Content-Type:', $from_email_name)) return false; ? if (eregi('Content-Type:', $email_text)) return false; ? //Remove any newline and anything after it on the header fields of the mail. ? //$to_email_address and $from_email_address are checked with tep_validate_email(). ? $to_name = preg_replace('/[\n|\r].*/', '', $to_name); ? $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); ? $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); <{POST_SNAPBACK}>
sputnikinternet Posted September 12, 2005 Posted September 12, 2005 Won't this only stop the spammer if he uses those fields? As soon as he changes them, the fix becomes obsolete. Or am i wrong?
gecko Posted September 12, 2005 Posted September 12, 2005 Thanks Dave, Have given your code ago. I am getting continuous attempts at a bot using my contact us page. i will keep you posted. cheers Gecko this time it'll go :-)
awisdoms Posted September 13, 2005 Posted September 13, 2005 The very same thing has and still is happening to me. For the last few days it started again with that exact same bcc: [email protected]. I have now shut down my contact us page for a few days to stop it. Dia
Guest Posted September 13, 2005 Posted September 13, 2005 add the vvc contribution while your fixing your mail scripts. Just add it to all pages that use the tep_mail function. it will take care of the bots
gecko Posted October 9, 2005 Posted October 9, 2005 Sorry i posted this in the wrong thread earlier so it's a double post but this is where it is supposed to be. Ok after getting tons of emails sent from [email protected] with added cc & Bcc via the contact_us.php i edited code as advised here in this thread. catalog/includes/functions/general.php // comment outEDIT TO STOP SPAMMERS function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { // comment out EDIT TO STOP SPAMMERS if (SEND_EMAILS != 'true') return false; //##### ADDED FOLLOWING FROM DAVE USER9999999 function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); //###### END OF DAVES CODE TO STOP SPAMMERS This seemed to work fine the spammer stopped. But now i have a problem. when someone makes an order the email is not sent to the owner of the site owner@their domain.com i get a copy sent to me@my other seperate domain.com. Under store configuration you can set where order emails are sent to and can add more than one email address to send it to. It now appears that those order emails cannot be sent to the domain name the same as the store. Can any one help with this problem? thanks Gecko this time it'll go :-)
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.