• Welcome to Simple Machines Community Forum. Please login or sign up.
September 21, 2021, 07:47:11 PM

News:

SMF 2.0.18 has been released! Please update. Read more.


Constant spam sent from our IP

Started by Stirius, July 01, 2020, 06:50:46 PM

Previous topic - Next topic

Stirius

Hello,

do you have any idea what could be the source except some plugins of tens of thousands, hundreds of thousands (if not stopped) spam using our SMF forum? We have our own server and I know that if I disable completely the option to send emails via PHP and the default version, the spam stops. So it's somewhere inside.

Is there a tool to check the forum? Files? Plugins? What can be the source? Are there some known plugins or holes which are abused? I cannot find it anywhere.

We made several rules via Cloudflare, banned several IPs, referrals, countries and also installed recaptcha to the register page and other possible sources. Also installed Forum Firewall, deleted all the users which are not used anymore and it helped for a month or almost two. But today, it was back again and our IP is just blocked as a spammer again.

Thank you.

Kindred

1- smf version
2- site url?
3- mod installed
4- have you checked for non-smf files in your directories?
5- Have you looked at the server log to see where the mails are being triggered from?
6- What configuration have you set regarding sending emails from within SMF?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Stirius

1. 2.0.17
2. boiians.cz (outside of CZ and SK you must make captcha check)
3. mods:
1.   reCAPTCHA for SMF
2.   Attachments Positioning
4.   Tapatalk SMF 2.0 Plugin
5.   SMF 2.0.1 Update
6.   SMF 2.0.13 Update
7.   Google Member Map
8.   SMF 2.0.5 Update
10.   smf font post resizer[
11.   SMF 2.0.4 Update
12.   Tapatalk SMF 2.0 Plugin
13.   SMF 2.0.16 Update
14.   Aeva Media
15.   SMF 2.0.2 Update
18.   New Manual Look
19.   Tapatalk SMF 2.0 Plugin
20.   SMF 2.0.5 Update
23.   SMF Search Enhancement Mod
24.   SMF 2.0.8 Update
25.   ResizeImagesToFitScreen
26.   SMF 2.0.16 Update
27.   SMF 2.0.15 Update
29.   SimplePortal
30.   SMF 2.0.3 Update
33.   SMF 2.0.14 Update
34.   SimplePortal
35.   SMF 2.0.1 Update
36.   Tapatalk SMF 2.0 Plugin
37.   SMF 2.0.1 Update
38.   Simple Audio Video Embedder
39.   BK-SMF Favicon and Custom Global HTML
40.   SimplePortal
42.   Group Color in Posts and Profile
43.   Google Analytics Code
45.   Info Center Permissions
46.   SMF 2.0.11 Update
47.   SMF 2.0.1 Update
49.   SMF 1.1.20 / 2.0.9 Update
50.   Uniform Collation & Engine
52.   InLine Attachments
55.   SearchResultsMod
56.   SMF 1.1.21 / 2.0.10 Update
58.   Member Color Link
59.   Search Focus Dropdown
60.   SMF 2.0.7 Update
61.   Highslide Image Viewer
62.   Global Headers Footers
66.   No Temp Directory Removal
67.   SMF 2.0.12 Update
68.   Forum Firewall
69.   SMF 1.1.19 / 2.0.6 Update
70.   Hide Info Center From Guests
71.   Tapatalk SMF 2.0 Plugin
72.   SMF 2.0.17 Update
73.   SMF 2.0.2 Update
74.   Remove images from quotes

4. is there a tool to check it? I have no idea what is or what is not part of SMF.
5. yeah, I was trying to check all accesses and everything but can't find it
6. not allowed mail queue, max number of emails per minute 5 (that is most probably not working at all), max number of emails from one page 1, SMTP server with port 25

Is it most probably doing some mod or something outside of SMF is hidden in some folder but I have no clue how to identify it...

Thanks  ;)

Horme Gaming

the issue to me sounds more server side but im far from an expert, people can use tools to spoof an ip that they are using.  If they are using your files to do it, the only way would to manually check the code for anything that looks wrong, from experience you can usually see code that shouldnt be their.

Illori

do you have your profile or others set to show their email address? if so anyone registered can click on the envelope and send their messages. other then editing the templates to remove that there is no global way i am aware of to remove that function.

Stirius

Quote from: Illori on July 02, 2020, 05:39:47 AM
do you have your profile or others set to show their email address? if so anyone registered can click on the envelope and send their messages. other then editing the templates to remove that there is no global way i am aware of to remove that function.

The email is not sent to registered users. It goes to tens of thousands addresses and they use another sender taken from our other website used on the server (keengamer.com) and not boiians.cz So they know what we run on our server and abuse somehow the SMF forum...

Horme Gaming

the only way would to manually check the code for anything that looks wrong, from experience you can usually see code that shouldnt be their.

The only way they could have done it is inject code into one of the files, we can see you have patched it correctly, however their is no-way to know when it was added without going through your own server logs.  But you need to go through all your siles to see what has been added if anything.  If nothing has been added to your smf files then they could be spoofing their IP to make it look like its coming from your server.

Stirius

Quote from: Deaks on July 02, 2020, 06:06:35 AM
the only way would to manually check the code for anything that looks wrong, from experience you can usually see code that shouldnt be their.

The only way they could have done it is inject code into one of the files, we can see you have patched it correctly, however their is no-way to know when it was added without going through your own server logs.  But you need to go through all your siles to see what has been added if anything.  If nothing has been added to your smf files then they could be spoofing their IP to make it look like its coming from your server.

Well, not really. If we disable postfix mail server on the forum, the spam ends. So they are using our IP via PHP somehow... But it's like searching for a needle. In Wordpress there is for example Wordfence which is able to go through the site and check for invalid or injected codes. But doing this manually on our own is just impossible...

Stirius

July 02, 2020, 06:50:05 AM #8 Last Edit: July 02, 2020, 07:00:15 AM by Stirius
I've got a feeling that it's maybe done by the shoutbox in simple portal. This access is there visible all the time when the spams started. And just from one IP. They had to figure out that other countries are blocked so got some CZ proxy. Most probably.

Stirius

Just an update. I found the IP and user connected to it. So either he was abusing our site or somebody abused his account. Maybe. However, IF the problem is the shoutbox, then it's a HUGE error. Even though we have html code disabled and simply everything which could have been abused, then there must be some workaround. So the mod is most probably buggy as hell. If I am true here, hard to say. But most probably I am.

vbgamer45

Depending on your php version if you have a copy of one of the spammed emails.
You might be able to see the originating script from the email headers. Should not the php script used if you have that fetured turned on in PHP.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Stirius

Quote from: vbgamer45 on July 02, 2020, 09:20:45 AM
Depending on your php version if you have a copy of one of the spammed emails.
You might be able to see the originating script from the email headers. Should not the php script used if you have that fetured turned on in PHP.

All of them are deleted unfortunately. However, I made some changes and will follow what will happen in a week or two. I can always change the IP we use for the emails but that is not a fix. And, as I said, somebody from the portal mod should check their hole in the code...

Advertisement: