email "sent from the forum" hacked & upgrade (General)

by Homie, Sunday, December 11, 2016, 15:56 (2664 days ago)

We've been using MLF for quite some time and we like it a lot.

The other day I got a bounced email that was sent from the forum. It was spam, a message full of links.
What bothers me it that the sender was spoofed. Also, since the signature line: This e-mail has been sent via the forum on {link here} was present it looks like the spammer somehow used the forum to send his spam.
When digging through my mail delivery reports on the server I only found this one email. The sender was the default email address for the forum.

I temporarily took the forum online because I don't want to get my mail server blacklisted. BTDT (bad user) and getting the server removed from blacklists is a major pain.

When I checked the forum version I found out I'm running a really old version, 2.33.

My questions:

1. Is this a known issue in version 2.33?
2. If yes, will update to the latest 2.37 (beta2?) fix this security hole
3. If the update will fix the problem how do I update?

Assuming updating will solve my problem, do I have to update to 2.34, 2.35, 2.36 before I update to 2.37 or can it be done in one update?
Or is it easier to do a fresh install and use the present database so I will retain users and messages?

Thanks in advance!

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Sunday, December 11, 2016, 16:31 (2664 days ago) @ Homie

Hi Homie,

what kind of mail was it? Maybe, it was an answer of a thread/posting you have subscribed.

1. Is this a known issue in version 2.33?

As far as I know, no. You are the first one I know that report this issue.

2. If yes, will update to the latest 2.37 (beta2?) fix this security hole

I'm not sure, but it will be fix some other security issues.

Assuming updating will solve my problem, do I have to update to 2.34, 2.35, 2.36 before I update to 2.37 or can it be done in one update?

Because of your old software version, I think it is better to do it step by step.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

email "sent from the forum" hacked & upgrade

by Homie, Sunday, December 11, 2016, 17:19 (2664 days ago) @ Micha

what kind of mail was it? Maybe, it was an answer of a thread/posting you have subscribed.

It clearly was spam. The email body consists of links only and the "from" was spoofed. I can send it to you if you want to see it - just give me an email address.

I only saw this mail because it bounced, the receiver's ISP refused the email.
Now, the good news is that when digging through the mail delivery reports on my server this was the only one in the last three days. Nevertheless I think that the spammer will be back trying to send out a ton of spam via my server.

I'm by no means a PHP programmer but from what I found out when searching is that this sure looks like email injection.

Assuming updating will solve my problem, do I have to update to 2.34, 2.35, 2.36 before I update to 2.37 or can it be done in one update?


Because of your old software version, I think it is better to do it step by step.

O.K. I'll try that.

Has there been security improvements to prevent email injection since 2.3.3?

Thanks!

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Sunday, December 11, 2016, 18:57 (2664 days ago) @ Homie

Hi,

It clearly was spam.

Okay, but that was not my question. If a spam robot insert a new posting to the forum and if you subscribed this thread, too, you get an email from the forum software. This notification message/mail contains the content of the (spam) posting. Again: Do you subscribe threads of the forum?

Has there been security improvements to prevent email injection since 2.3.3?

Take a look to the change log.


/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

email "sent from the forum" hacked & upgrade

by Homie, Sunday, December 11, 2016, 20:17 (2664 days ago) @ Micha

It clearly was spam.

Okay, but that was not my question. If a spam robot insert a new posting to the forum and if you subscribed this thread, too, you get an email from the forum software. This notification message/mail contains the content of the (spam) posting. Again: Do you subscribe threads of the forum?

No, I don't subscribe to threads on the forum.
Plus, the email wasn't sent to me but to another email address.

Like I wrote before, I only saw the email because it wasn't accepted by the ISP of the recepient and because of that bounced to the forum admin email address.

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Monday, December 12, 2016, 13:01 (2663 days ago) @ Homie

Hi,

Like I wrote before, I only saw the email because it wasn't accepted by the ISP of the recepient and because of that bounced to the forum admin email address.

Okay, has the original addressee subscribed threads of the forum?

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

email "sent from the forum" hacked & upgrade

by Homie, Monday, December 12, 2016, 23:30 (2663 days ago) @ Micha

Okay, has the original addressee subscribed threads of the forum?

I don't know but I guess I could find out. Still the email didn't look like an automatic email informing a user about a post. It looks to me like some spammer somehow was able to use the "send email via the board" option, spoofed the sender and got the email out. If that could happen once it can happen again.
My main concern here is that the mail server from this VPS gets blacklisted, something I absolutely don't want to happen.

So, for now I put an empty file with the name contact.inc.php in the includes directory, removing the option to send emails via the board. That should effectively stop anybody who wants to send spam via the forum.
I know this also makes the 'Contact' link dysfunctional, so be it. I might get a secure PHP contact form and use that for the contact option.

Until I know that the "send email via the board" option is 100% safe I will leave it like this.

email "sent from the forum" hacked & upgrade

by Homie, Monday, December 12, 2016, 23:46 (2663 days ago) @ Homie

FWIW I just tested the notification emails and the structure of those email is completely different.

The spam email had this tagline:

This e-mail has been sent via the forum on http://www.url_of_the_forum

That tagline only appears under emails sent via the forum, right?

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Tuesday, December 13, 2016, 08:20 (2662 days ago) @ Homie

Hi,

This e-mail has been sent via the forum on http://www.url_of_the_forum

That tagline only appears under emails sent via the forum, right?

The original addressee is a member of your forum? Does this member enabled the option "E-mail address contactable"?

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

email "sent from the forum" hacked & upgrade

by Homie, Tuesday, December 13, 2016, 15:50 (2662 days ago) @ Micha

The original addressee is a member of your forum? Does this member enabled the option "E-mail address contactable"?

Yes and yes.

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Tuesday, December 13, 2016, 19:02 (2662 days ago) @ Homie

Hi,

Yes and yes.

Okay, in this case, it is not a bug. The user enabled the option and allows for every type of email. It is recommended to restrict this option to avoid spam messages.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

email "sent from the forum" hacked & upgrade

by Homie, Wednesday, December 14, 2016, 01:59 (2662 days ago) @ Micha

No bug? So anybody can send emails to users who allow to be contacted by email? That should be a "registered users only" feature I would say. Also the admin should have the option to disable this feature completely.

Well, good thing I could disable this "feature" by replacing the contact.inc.php by an empty file..

Anyway, thanks for your time.

Avatar

email "sent from the forum" hacked & upgrade

by Micha ⌂, Wednesday, December 14, 2016, 07:55 (2661 days ago) @ Homie

Hi,

No bug?

Yes. A deprecate behaviour is, if the forum sends mails to anyone, i.e. people, which are *not* members of your forum. In your case, the *user enabled* the option "everyone can mail me" and "everyone" means "everyone" in particular non-desired mails. Akismet is used to check for SPAM but this will never be detect 100 % SPAM.

So anybody can send emails to users who allow to be contacted by email?

If the user enabled this option, yes. The user can disable this feature to stop the receiving of SPAM-mails (as well as normal ones).

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

@Homie, I think, we need more info

by Auge ⌂, Wednesday, December 14, 2016, 09:59 (2661 days ago) @ Micha

Hello

@Milo: I append my entry onto yours, because it's matching at best.

No bug?

Yes. A deprecate behaviour is, if the forum sends mails to anyone, i.e. people, which are *not* members of your forum.

The forum does send emails to anyone (deprecated or not)? I am a bit confused, because until this point of the thread I can't identify the problem.

There are a few cases I know of, one can send emails via the forum software.

1. The contact link; the forum is the sender (From), the admin (normally user #1) is the receiver (To).
2. The contact-link of an user; the forum is the sender (From), the user is the receiver (To).
3. The entry-notification; the forum is the sender (From), the user is the receiver (To).

Did I miss a case? Are the descriptions in all cases correct?

My thoughts from bottom to top.

Number 3 is a pure automatism. It should not be possible to send spam via this function except it's part of the message, but that would be another problem.

Number 2 requires the user to activate the setting to be contacted via email (as Milo said). But there is a second issue. The setting, to activate the user area and to restrict the access to the registered users or not decides who can send emails via the forum script to the users email addresses. This is the admins decision and task.

Number 1 is a problem regarding to email spam. In many countries the operator of a website (and a forum on a website) must be reachable. So the function must be accessible for anyone (including the unavoidable spammers :-().

Until this point I didn't find any information about the receiver, the email headers or the content of the email in this thread. I found only a few fragments about the sender ("the forum") and the general structure of the subject, that led me to nearly nothing.

To identify the function to can say, that it works like intended, it is or maybe was a bug or it's a matter of setting settings, we need IMHO more information.

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

@Homie, I think, we need more info

by Micha ⌂, Wednesday, December 14, 2016, 10:25 (2661 days ago) @ Auge

Hi,

@Milo: I append my entry onto yours, because it's matching at best.

No bug?

Yes. A deprecate behaviour is, if the forum sends mails to anyone, i.e. people, which are *not* members of your forum.


The forum does send emails to anyone (deprecated or not)?

To every reg. user in the forum depending on the option. The forum does not send emails to everyone else.

I am a bit confused, because until this point of the thread I can't identify the problem.

The Problem is: A reg. user enabled the option to get mails via contact form. This user get normal/desired mails. But the user also get SPAM-mails because the contact form can be filled by a robot. Homie want to restrict the mails to the desired ones.


/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

@Homie, I think, we need more info

by Auge ⌂, Wednesday, December 14, 2016, 10:58 (2661 days ago) @ Micha

Hello

The forum does send emails to anyone (deprecated or not)?

To every reg. user in the forum depending on the option. The forum does not send emails to everyone else.

Ok, that's what I expected.

I am a bit confused, because until this point of the thread I can't identify the problem.

The Problem is: A reg. user enabled the option to get mails via contact form. This user get normal/desired mails. But the user also get SPAM-mails because the contact form can be filled by a robot. Homie want to restrict the mails to the desired ones.

Ok, if Homie as the forums admin restricts the access to the user area to registered users, this way should be blocked. The IMHO last case is the link to the contact form besides the users name in the metadata of the entries.

If the user wants to be contactable via the forum and the admin says, the user area is restricted to registered users, the email link in an entry is nevertheless accessible to anyone or isn't it? Maybe the contact link in an entry should be subject of the same restrictions as the user area. But what to do with email addresses in entries of unregistered visitors? Should they also be restricted to registered users in my scenario?

There is no general solution except to hide the email address. If one wants to contact me, one can do this in the forum. If it should be a private conversation, we can arrange the use of another channel (maybe with temporary content of a forum entry).

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

@Homie, I think, we need more info

by Micha ⌂, Wednesday, December 14, 2016, 11:32 (2661 days ago) @ Auge

Hi,

Ok, that's what I expected.

Yes, and that's why I summarized: It is not a bug.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

RSS Feed of thread