Hi.
Today I noticed that a spambot has broken my 2.0.x default contact module in some way.
The website is running an old version of XOOPS, before the security token has been implemented - I've done various core code hacking on that website..

So, here the details.
Early, this morning, I've found these things of email in my box (I'll post only one, the last one. But I got other 4 similar mails, if someone is interested).
Quote:

And later, this evening (21.00 on GMT+1), the spam has started.
I don't know if this spam arrived only to me, the guy who get the mails from the contact module, or if other peoples in the .net get this spam too - I don't have access to the mail server.
I don't post any of those spam maill 'cause they are very long.. if someone is interested I can post one later.

I've looked in the Apache server logs, I've found that several IPs have simply done a POST request masking the referer with my domain name -> there is not a GET request from those IPs (and i think this method can broke the security token too).

Right now I've disabled the contact form.

Any ideas, someone?

banned,

not sure m8.. seems strange tho cos i didn't think the xoopsmailer handled bcc addresses and the content type is usually 8bit from xoops.. so i think somethings wrong somewhere..

it's a b*tch aint it when u have many hacks and can't update easily.. i'm presuming you have XOOPS protector installed? you could block those IP addresses out.. but i'm not sure if protector protects against spambots in that way..

Hi, monty

>i'm presuming you have XOOPS protector installed?
I've something like a 'lite' version of protector

>you could block those IP addresses out..
Heh.. I can't. This spammer use various proxy for his job. I can't ban an entire list of anon proxy.

banned,

Is this the same problem as here?

https://xoops.org/modules/newbb/viewtopic.php?topic_id=30517&forum=3&post_id=197157#forumpost197157

I'm not sure,
for what i can see they used my contact us form not for spam only to me but to other peoples too.
Instead in that post it seems like that the spam is only directed to the website webmaster.

Another point is: I think that the header mail from the contact us form has been injected. It doesn't display the 'Xoops Site Name' as the subject and there isn't an 'submitter email' field - website, icq, society, location and comments are still here.. but nearly unused.

banned,

you are more than likely right there banned, i think short of upgrading, but i know u have many hacks installed so it'd be a daunting task..

have u thought of the possibility of using liaise module for your contact form? i used it on my sites instead of contact module.. it may offer you better security and better customisation too.. it isn't hard to setup either. but you could try a later version of XOOPS protector too. sorry can't be anymore helpful..

If I may be so bold - this is an easy tact and is used quite often with any CMS - worst offenders are Joomla and Limbo (Mambo) - but basically here's how it works, I run a form loader and drive the form "blindly" - that's it.

Now, that is specifically why I wrote this new and improved contact us module for XOOPS. Since installing, my form drvien SPAM has gone to 0 (zero!). Reason - security code for any entered contact form...simple!

Try it out, it will work! Hackers are TOO LAZY to mess with trying to figure those out.