Hey guys. I've been running 2.0 for a while, and at some point I started receiving strange emails, which I later determined that are sent from the forum, possibly by some fak accounts. The forum is for a small gaming community, so suspicious accounts are immediately visible. Other users have reported the same type of messages in their inbox.
The emails were of the following form:
Quote
From: <random fake address> forum@ourwebsite
Subject: random characters
Some compliments with typos
where forum@ourwebsite is our legitimate forum do-not-reply address (at some point i changed it to
forum to check if they're using the forum settings to send spam, and sure enough, they were. That meant they were using some script in the code. I have replaced our website's address with
ourwebsite in the following pastes:
To: [email protected]
Subject: FgMBhtqoPqhdSeTh
From: "[email protected]" <forum@ourwebsite>
Reply-To: <[email protected]>
Date: Sun, 24 Apr 2011 14:10:34 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-f35955c1b47d312d682523c41251c0e6"
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6--
So I figured I should log these emails and I found the
sendmail() file in Sources/Subs-Post.php, and I added some logging functionality. I later added the return false if the y_email field is set (this is my simple solution):
// Send off an email.
// Send off an email.
function sendmail($to, $subject, $message, $from = null, $message_id = null, $send_html = false, $priority = 3, $hotmail_fix =
null, $is_private = false)
{
$f = fopen("mail-log.txt", "a");
fprintf($f, "sendmail -> to=$to, subject=$subject, message=$message, from=$from, message_id=$message_id, priority=$priority, hotmail_fix=$hotmail_fix, is_private=$is_private\n");
fprintf($f, '$_SERVER='.var_export($_SERVER, true));
fprintf($f, "\n");
fprintf($f, '$_POST='.var_export($_POST, true)."\n");
fprintf($f, '$_SESSION='.var_export($_SESSION, true)."\n");
fprintf($f, "backtrace=".var_export(debug_backtrace(), true)."\n");
if(isset($_POST['y_email'])) {
fprintf($f, "Caught spammer!\n");
fclose($f);
return false;
}
fclose($f);
.
.
.
rest of code
Here is what that logged for the example email above:
sendmail -> [email protected], subject=FgMBhtqoPqhdSeTh, message=That's the best aswner of all time! JMHO, from=n
[email protected], message_id=, priority=1, hotmail_fix=, is_private=1
$_SERVER=array (
'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_HOST' => 'ourwebsite',
'HTTP_REFERER' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=ema
il;msg=1490',
'CONTENT_LENGTH' => '190',
'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
'HTTP_COOKIE' => 'PHPSESSID=049518482f96814dc01dd8fef1df4fd1',
'HTTP_VIA' => '1.1 www.blucomputadores.com.br:3128 (squid/2.6.STABLE21)',
'HTTP_CACHE_CONTROL' => 'max-age=259200',
'HTTP_CONNECTION' => 'keep-alive',
'PATH' => '/usr/local/bin:/usr/bin:/bin',
'SERVER_SIGNATURE' => '<address>Apache/2.2.16 (Debian) Server at ourwebsite Port 80</address>
',
'SERVER_SOFTWARE' => 'Apache/2.2.16 (Debian)',
'SERVER_NAME' => 'ourwebsite',
'SERVER_ADDR' => '192.168.2.120',
'SERVER_PORT' => '80',
'REMOTE_ADDR' => '187.112.244.124',
'DOCUMENT_ROOT' => '/var/www/ourwebsite,
'SERVER_ADMIN' => 'webmaster@localhost',
'SCRIPT_FILENAME' => '/var/www/ourwebsite/forum/index.php',
'REMOTE_PORT' => '41108',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'REQUEST_METHOD' => 'POST',
'QUERY_STRING' => 'action=emailuser;sa=email',
'REQUEST_URI' => '/forum/index.php?action=emailuser;sa=email',
'SCRIPT_NAME' => '/forum/index.php',
'PHP_SELF' => '/forum/index.php',
'REQUEST_TIME' => 1303654234,
'argv' =>
array (
0 => 'action=emailuser;sa=email',
),
'argc' => 1,
'BAN_CHECK_IP' => '187.112.244.124',
'REQUEST_URL' => 'http://ourwebsite/forum/index.php?action=emailuser;sa=email',
)
$_POST=array (
'y_name' => 'Leatrix',
'y_email' => '[email protected]',
'email_subject' => 'FgMBhtqoPqhdSeTh',
'email_body' => 'That\'s the best aswner of all time! JMHO',
'send' => 'Send',
'msg' => '1490',
'a59c5d5d9' => 'dba94240db290d46ce7ce0b2052163f6',
)
$_SESSION=array (
'session_value' => 'dba94240db290d46ce7ce0b2052163f6',
'session_var' => 'a59c5d5d9',
'mc' =>
array (
'time' => 1303654195,
'id' => 0,
'gq' => '0=1',
'bq' => '0=1',
'ap' =>
array (
),
'mb' =>
array (
),
'mq' => '0=1',
),
'ban' =>
array (
'last_checked' => 1303654195,
'id_member' => 0,
'ip' => '187.112.244.124',
'ip2' => '187.112.244.124',
'email' => '',
),
'log_time' => 1303654233,
'timeOnlineUpdated' => 1303654196,
'last_read_topic' => 278,
'old_url' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=email;ms
g=1490',
'USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
'register_vv' =>
array (
'count' => 1,
'errors' => 0,
'did_pass' => false,
'q' =>
array (
),
'code' => 'CXWTTR',
),
)
backtrace=array (
0 =>
array (
'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
'line' => 287,
'function' => 'sendmail',
'args' =>
array (
0 => '[email protected]',
1 => 'FgMBhtqoPqhdSeTh',
2 => 'That\'s the best aswner of all time! JMHO',
3 => '[email protected]',
4 => NULL,
5 => false,
6 => 1,
7 => NULL,
8 => true,
),
),
1 =>
array (
'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
'line' => 78,
'function' => 'CustomEmail',
'args' =>
array (
),
),
2 =>
array (
'function' => 'EmailUser',
'args' =>
array (
),
),
3 =>
array (
'file' => '/var/www/ourwebsite/forum/index.php',
'line' => 162,
'function' => 'call_user_func',
'args' =>
array (
0 => 'EmailUser',
),
),
)
I haven't received any of these in a while, so I haven't been able to see if my fix works. But you guys probably know better about the y_email and y_name fields in $_POST, and what their purpose is.
So yeah that's my bug report :)
I also need to mention they weren't from the same IP.
Probably you have the "Send topics to friends" permission enabled for guests, and then guests (and spammers too I can assume) can send emails to everybody.
Sorry, I misunderstood your point here, of course it's a potential source of spam.
I submitted a mod to introduce the visual verification, if you would like to test it feel free to send me a PM. :)
The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
( The envelope image below people's profiles in topic view that leads to an e-mail form ;) )
The form can be used to send e-mail directly to a user, using the forum's e-mail address, and masking it as your own (the one in your profile).
So, Check your permissions - thoroughly!
you can also turn off email addresses visible to guests in the admin panel
admin -> security and moderation uncheck allow viewable email addresses and check do not reveal contact details of members to guests
is this still an issue?
Quote from: Aleksi "Lex" Kilpinen on May 25, 2011, 05:59:37 AM
The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
You are indeed right!
But maybe we should put a captcha there too...for guests of course.
That would be logical, if it can be allowed for guests, then at least make sure guests need some verification.
Or even for members if under a certain post count?
I would just tie it to the same setting with post verification. That would let the admin set the post count limits and all.
Added a yesterday a permission for email users, so this should be fixed.