search

Bootwhmcs / bootwhmcs

Template files for Bootwhmcs
75 stars 42 forks source link

Possible spam based on theme. #62

Closed JonTheWong closed 10 years ago

JonTheWong commented 10 years ago

Hello, i've recently started receiving emails from my domain to my domain.

I run WHMCS in live and dev mode on the same server in different directories as you can see below. Both installs run bootwhmcs/bootorder i started receiving emails 5-10 in a row and based on the logs i can see its coming from my contact.php on both installs. i restricted the files as a prevention and opened a ticket with WHMCS #PJL-512160

The IP sending of both spams are from 176.31.83.170 belonging to OVH France, i've opened an abuse ticket with them. #286218

Is anyone else having this issue using this theme or with WHMCS directly. I don't have time to completely investigate at the moment. Was just wondering if anyone else noticed this.

Kind regards,

Here are the logs

Delivered-To: jwong@mydomain.tld Received: by 10.194.42.198 with SMTP id q6csp30852wjl; Sat, 11 Oct 2014 21:19:43 -0700 (PDT) X-Received: by 10.70.89.72 with SMTP id bm8mr15604844pdb.63.1413087582237; Sat, 11 Oct 2014 21:19:42 -0700 (PDT) Return-Path: info+bncBAABBXEC5CQQKGQENSHB5CI@mydomain.tld Received: from mail-pa0-x248.google.com (mail-pa0-x248.google.com [2607:f8b0:400e:c03::248]) by mx.google.com with ESMTPS id 9si7340827pdh.135.2014.10.11.21.19.41 for jwong@mydomain.tld (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 11 Oct 2014 21:19:41 -0700 (PDT) Received-SPF: pass (google.com: domain of info+bncBAABBXEC5CQQKGQENSHB5CI@mydomain.tld designates 142.4.211.221 as permitted sender) client-ip=142.4.211.221; Authentication-Results: mx.google.com; spf=pass (google.com: domain of info+bncBAABBXEC5CQQKGQENSHB5CI@mydomain.tld designates 142.4.211.221 as permitted sender) smtp.mail=info+bncBAABBXEC5CQQKGQENSHB5CI@mydomain.tld; dkim=pass header.i=@mydomain.tld Received: by mail-pa0-f72.google.com with SMTP id kx10sf24959440pab.7 for jwong@mydomain.tld; Sat, 11 Oct 2014 21:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.tld; s=zm; h=to:subject:date:from:message-id:mime-version:sender :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-help:reply-to:content-type :content-transfer-encoding; bh=I8y9nHbsIlEI9wwkHT+g/ne30L/+LmqQhc/R4fC3ATQ=; b=gqiyhiQD/Mh9XELsknxt46EguGI25h/Ec0WTGNVF0M1hlhJrRBAkQOJVGde8OFMlIs 3qWTFaOwIp7jWhvw4gGjID4h1sPQTO5EyNR8C0VFM5UXTaD27gRnljv/PGopy3UxkgYY fkQbjxJQxaNfoofXw7dMF38QtCRCHLqCd3tQo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:date:from:message-id:mime-version :sender:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-help:reply-to:content-type :content-transfer-encoding; bh=I8y9nHbsIlEI9wwkHT+g/ne30L/+LmqQhc/R4fC3ATQ=; b=DRXvkzSWSQZpvK6MUhXt69lPBLKN628Q4pV2obUPYqmTJrDP1KWrAkfjEyOQetVnjF UpcAOBFJHK9m7sUv0opku0ZCwUUFykSFX/vWms23fe8ixbSRz1TNRnCJNxmB83KRWtUF dhkUn1IemkDh79Ig96KLCthilDRVpJaJ7jVu6de7tydHH4j1FqwFCErjPeTSGdY1XBZl MobmOtqwpYF32crL7kUfToua/FC8x3K84gK+bx8IAUHjvp/+FUzfJQ4Pw/Ij5To8b+Lu 3mApYsxQlZZTmdVQnzN9JoIMPDrCpMAmCVxUAl7QsS/W4A3M2qACk4J/TGNH5tnoxDsm xrsA== X-Gm-Message-State: ALoCoQmKlVQbuXgB4bmVlJ1s1n8NIk0maUZGxnvQQGvn1YyMqHlTE6KCu4x53XwA13zFRPhpVY3h X-Received: by 10.66.171.231 with SMTP id ax7mr5508743pac.29.1413087581031; Sat, 11 Oct 2014 21:19:41 -0700 (PDT) X-BeenThere: info@mydomain.tld Received: by 10.140.98.34 with SMTP id n31ls659747qge.27.gmail; Sat, 11 Oct 2014 21:19:40 -0700 (PDT) X-Received: by 10.140.93.33 with SMTP id c30mr12992930qge.8.1413087580885; Sat, 11 Oct 2014 21:19:40 -0700 (PDT) Received: from magi.my2nddomain.tld (magi.my2nddomain.tld. [142.4.211.221]) by mx.google.com with ESMTPS id c20si18616032qax.63.2014.10.11.21.19.40 for info@mydomain.tld (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Oct 2014 21:19:40 -0700 (PDT) Received-SPF: pass (google.com: domain of zenithm@magi.my2nddomain.tld designates 142.4.211.221 as permitted sender) client-ip=142.4.211.221; Received: from zenithm by magi.my2nddomain.tld with local (Exim 4.82) (envelope-from zenithm@magi.my2nddomain.tld) id 1XdAd3-0001qN-JC for info@mydomain.tld; Sun, 12 Oct 2014 00:19:40 -0400 To: info@mydomain.tld Subject: Contact Form: (DEAL) Get cheap nike shoes! X-PHP-Script: portal.mydomain.tld/contact.php for 176.31.83.170 Date: Sun, 12 Oct 2014 00:19:33 -0400 From: "'Nike Shoes' via info" info@mydomain.tld Message-ID: fadcc1b2d2f862bcf2b8165db9fe53c2@www.mydomain.tld X-Priority: 3 MIME-Version: 1.0 Sender: zenithm@magi.my2nddomain.tld X-OutGoing-Spam-Status: No, score=2.2 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - magi.my2nddomain.tld X-AntiAbuse: Original Domain - mydomain.tld X-AntiAbuse: Originator/Caller UID/GID - [502 500] / [47 12] X-AntiAbuse: Sender Address Domain - magi.my2nddomain.tld X-Get-Message-Sender-Via: magi.my2nddomain.tld: authenticated_id: zenithm/only user confirmed/virtual account not confirmed X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home/zenithm/public_html/portal/contact.php X-Source-Dir: mydomain.tld:/public_html/portal X-From-Rewrite: rewritten was: [nicenikies4u@gmail.com], actual sender is not the same system user X-Original-Sender: zenithm@magi.my2nddomain.tld X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of zenithm@magi.my2nddomain.tld designates 142.4.211.221 as permitted sender) smtp.mail=zenithm@magi.my2nddomain.tld; dmarc=pass (p=REJECT dis=NONE) header.from=my2nddomain.tld Precedence: list Mailing-list: list info@mydomain.tld; contact info+owners@mydomain.tld List-ID: X-Google-Group-Id: 30852331462 List-Help: http://support.google.com/a/mydomain.tld/bin/topic.py&topic=25838, mailto:info+help@mydomain.tld X-Original-From: Nike Shoes zenithm@magi.my2nddomain.tld Reply-To: Nike Shoes zenithm@magi.my2nddomain.tld Content-Type: multipart/alternative; boundary="b1_fadcc1b2d2f862bcf2b8165db9fe53c2" Content-Transfer-Encoding: base64

--b1_fadcc1b2d2f862bcf2b8165db9fe53c2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64

SGVsbG8sIAoNCiAKDQpXZSBvZmZlciB2ZXJ5IGNoZWFwIG5pa2Ugc2hvZXMuIFRyZWF0IHNvbWVv bmUgb3IgeW91cnNlbGYgdG8gYSBwYWlyIHRoaXMgQ2hyaXN0bWFzISAKDQogCg0KQWxsIHNob2Vz IGFyZSBvZiB0aGUgZmluZXN0IHF1YWxpdHkuIEJyb3dzZSBvdXIgc3RvcmUgbm93ISBXZSBoYXZl IHNvbWV0aGluZyBmb3IgZXZlcnlvbmUhIAoNCiAKDQpodHRwOi8vd3d3LnNwb3J0c3Nob2Vzbmlr ZS5jb20vCgo=

--b1_fadcc1b2d2f862bcf2b8165db9fe53c2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64

PGZvbnQgc3R5bGU9ImZvbnQtZmFtaWx5OlZlcmRhbmE7Zm9udC1zaXplOjExcHgiPjxwPkhlbGxv LCA8YnIgLz4NCiA8YnIgLz4NCldlIG9mZmVyIHZlcnkgY2hlYXAgbmlrZSBzaG9lcy4gVHJlYXQg c29tZW9uZSBvciB5b3Vyc2VsZiB0byBhIHBhaXIgdGhpcyBDaHJpc3RtYXMhIDxiciAvPg0KIDxi ciAvPg0KQWxsIHNob2VzIGFyZSBvZiB0aGUgZmluZXN0IHF1YWxpdHkuIEJyb3dzZSBvdXIgc3Rv cmUgbm93ISBXZSBoYXZlIHNvbWV0aGluZyBmb3IgZXZlcnlvbmUhIDxiciAvPg0KIDxiciAvPg0K aHR0cDovL3d3dy5zcG9ydHNzaG9lc25pa2UuY29tLzwvcD4=

--b1_fadcc1b2d2f862bcf2b8165db9fe53c2--

email mail log

2014-10-12 00:17:41 SMTP connection from [127.0.0.1]:59081 (TCP/IP connection count = 1) 2014-10-12 00:17:57 SMTP connection from (localhost) [127.0.0.1]:59081 closed by QUIT 2014-10-12 00:19:33 cwd=/home/zenithm/public_html/portal 3 args: /usr/sbin/sendmail -t -i 2014-10-12 00:19:40 1XdAd3-0001qN-JC U=zenithm Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.2)" 2014-10-12 00:19:40 1XdAd3-0001qN-JC U=zenithm Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.2/800)" 2014-10-12 00:19:40 1XdAd3-0001qN-JC <= zenithm@magi.my2nddomain.tld U=zenithm P=local S=1768 id=fadcc1b2d2f862bcf2b8165db9fe53c2@www.mydomain.tld T="Contact Form: (DEAL) Get cheap nike shoes!" for info@mydomain.tld 2014-10-12 00:19:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XdAd3-0001qN-JC 2014-10-12 00:19:40 1XdAd3-0001qN-JC From: header (rewritten was: [nicenikies4u@gmail.com], actual sender is not the same system user) original=[nicenikies4u@gmail.com] actual_sender=[zenithm@magi.my2nddomain.tld] 2014-10-12 00:19:40 1XdAd3-0001qN-JC SMTP connection outbound 1413087580 1XdAd3-0001qN-JC mydomain.tld info@mydomain.tld 2014-10-12 00:19:40 1XdAd3-0001qN-JC => info@mydomain.tld R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.29.26] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1413087580 c20si18616032qax.63 - gsmtp" 2014-10-12 00:19:40 1XdAd3-0001qN-JC Completed

here is the dev log

Delivered-To: jwong@mydomain.tld Received: by 10.194.42.198 with SMTP id q6csp129095wjl; Sat, 11 Oct 2014 14:32:15 -0700 (PDT) X-Received: by 10.236.165.199 with SMTP id e47mr21533247yhl.12.1413063134909; Sat, 11 Oct 2014 14:32:14 -0700 (PDT) Return-Path: info+bncBAABBXOD42QQKGQEBBY4ZFI@mydomain.tld Received: from mail-yh0-x248.google.com (mail-yh0-x248.google.com [2607:f8b0:4002:c01::248]) by mx.google.com with ESMTPS id k78si16115526yhq.179.2014.10.11.14.32.13 for jwong@mydomain.tld (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 11 Oct 2014 14:32:14 -0700 (PDT) Received-SPF: pass (google.com: domain of info+bncBAABBXOD42QQKGQEBBY4ZFI@mydomain.tld designates 142.4.211.221 as permitted sender) client-ip=142.4.211.221; Authentication-Results: mx.google.com; spf=pass (google.com: domain of info+bncBAABBXOD42QQKGQEBBY4ZFI@mydomain.tld designates 142.4.211.221 as permitted sender) smtp.mail=info+bncBAABBXOD42QQKGQEBBY4ZFI@mydomain.tld; dkim=pass header.i=@mydomain.tld Received: by mail-yh0-f72.google.com with SMTP id a41sf19189243yho.11 for jwong@mydomain.tld; Sat, 11 Oct 2014 14:32:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.tld; s=zm; h=to:subject:date:from:message-id:mime-version:sender :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-help:reply-to:content-type :content-transfer-encoding; bh=JVtzqxi8UtebkGUcIsmZX7Wz+q8qjKGmEol0Lgddcu4=; b=bapj2sQn0vu3LB1Dc35RocETmd4B/FT6lvO58nVW5nPInwnMTtgomjSOSEJy358qkT Jz449//3CIYLTf+iu0cyxbkOjipwVd8GqR4Lv01ZTgOhQxyJaTRRaC+FG9NpCzWuhcwa 0sygoEcjn8Wthxb4z/UIs7TXGjqIKK8bI68bo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:date:from:message-id:mime-version :sender:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:list-help:reply-to:content-type :content-transfer-encoding; bh=JVtzqxi8UtebkGUcIsmZX7Wz+q8qjKGmEol0Lgddcu4=; b=Y/gZikyx7pRtgv9fTKUTUl81LXk+U0D4KVx6fPyVPL8FEyxEXdTzfOYHyS0B7bhoU5 a7yAZXVQXeHlyrTwtVf95o6cmR/9/GI35WZPi+lvwvtyxi6+ZFYwj1vpY951/ECBcCgl abZ8CqRzHsGSGltd2bkn3+hg1/YNEM0h9pTAUYfuIQH0PzukpSvRa0aZvprx9sKYDpJa +8t5r9Q+DFGeJS3XPY09k26GYIM6jy14b6i94dTGpxDS9mEtvxk5XbqBmLhtmw4IyEde ZQyGPYebpXV5nG5BEtCDPI9XJ3lgQiymlgv8+utZzMKGAMggn7jdO2zGXrUY69eXyWHO WFug== X-Gm-Message-State: ALoCoQk/hARHoagwduQIezNjdJCnfClN3RE1NnraeqxXYXc/EZkxQisMvm+IuAj9wxHJ5/vO6Rcw X-Received: by 10.52.182.3 with SMTP id ea3mr4488200vdc.7.1413063133805; Sat, 11 Oct 2014 14:32:13 -0700 (PDT) X-BeenThere: info@mydomain.tld Received: by 10.140.91.85 with SMTP id y79ls1311468qgd.55.gmail; Sat, 11 Oct 2014 14:32:13 -0700 (PDT) X-Received: by 10.224.76.5 with SMTP id a5mr23753932qak.72.1413063133644; Sat, 11 Oct 2014 14:32:13 -0700 (PDT) Received: from magi.my2nddomain.tld (magi.my2nddomain.tld. [142.4.211.221]) by mx.google.com with ESMTPS id 88si17722400qgj.60.2014.10.11.14.32.13 for info@mydomain.tld (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 Oct 2014 14:32:13 -0700 (PDT) Received-SPF: pass (google.com: domain of zenithm@magi.my2nddomain.tld designates 142.4.211.221 as permitted sender) client-ip=142.4.211.221; Received: from zenithm by magi.my2nddomain.tld with local (Exim 4.82) (envelope-from zenithm@magi.my2nddomain.tld) id 1Xd4Gi-0001hc-9d for info@mydomain.tld; Sat, 11 Oct 2014 17:32:12 -0400 To: info@mydomain.tld Subject: Contact Form: (DEAL) Get cheap nike shoes! X-PHP-Script: mydomain.tld/ppp/contact.php for 176.31.83.170, 176.31.83.170 Date: Sat, 11 Oct 2014 17:32:04 -0400 From: "'Nike Shoes' via info" info@mydomain.tld Message-ID: b7bc0fbbb6549c6180720f29a9598c22@mydomain.tld X-Priority: 3 X-Mailer: Zenith Test MIME-Version: 1.0 Sender: zenithm@magi.my2nddomain.tld X-OutGoing-Spam-Status: No, score=2.2 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - magi.my2nddomain.tld X-AntiAbuse: Original Domain - mydomain.tld X-AntiAbuse: Originator/Caller UID/GID - [502 500] / [47 12] X-AntiAbuse: Sender Address Domain - magi.my2nddomain.tld X-Get-Message-Sender-Via: magi.my2nddomain.tld: authenticated_id: zenithm/only user confirmed/virtual account not confirmed X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home/zenithm/public_html/ppp/contact.php X-Source-Dir: mydomain.tld:/public_html/ppp X-From-Rewrite: rewritten was: [nicenikies4u@gmail.com], actual sender is not the same system user X-Original-Sender: zenithm@magi.my2nddomain.tld X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of zenithm@magi.my2nddomain.tld designates 142.4.211.221 as permitted sender) smtp.mail=zenithm@magi.my2nddomain.tld; dmarc=pass (p=REJECT dis=NONE) header.from=my2nddomain.tld Precedence: list Mailing-list: list info@mydomain.tld; contact info+owners@mydomain.tld List-ID: X-Google-Group-Id: 30852331462 List-Help: http://support.google.com/a/mydomain.tld/bin/topic.py&topic=25838, mailto:info+help@mydomain.tld X-Original-From: Nike Shoes zenithm@magi.my2nddomain.tld Reply-To: Nike Shoes zenithm@magi.my2nddomain.tld Content-Type: multipart/alternative; boundary="b1_b7bc0fbbb6549c6180720f29a9598c22" Content-Transfer-Encoding: 8bit

--b1_b7bc0fbbb6549c6180720f29a9598c22 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit

Hello,

We offer very cheap nike shoes. Treat someone or yourself to a pair this Christmas!

All shoes are of the finest quality. Browse our store now! We have something for everyone!

http://www.sportsshoesnike.com/

--b1_b7bc0fbbb6549c6180720f29a9598c22 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Hello,

We offer very cheap nike shoes. Treat someone or yourself to a pair this Christmas!

All shoes are of the finest quality. Browse our store now! We have something for everyone!

http://www.sportsshoesnike.com/

--b1_b7bc0fbbb6549c6180720f29a9598c22--

2014-10-11 17:31:22 SMTP connection from [127.0.0.1]:57372 (TCP/IP connection count = 1) 2014-10-11 17:31:38 SMTP connection from (localhost) [127.0.0.1]:57372 closed by QUIT 2014-10-11 17:32:04 cwd=/home/zenithm/public_html/ppp 3 args: /usr/sbin/sendmail -t -i 2014-10-11 17:32:12 1Xd4Gi-0001hc-9d U=zenithm Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.2)" 2014-10-11 17:32:12 1Xd4Gi-0001hc-9d U=zenithm Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING not smtp message as NOT spam (2.2/800)" 2014-10-11 17:32:13 1Xd4Gi-0001hc-9d <= zenithm@magi.my2nddomain.tld U=zenithm P=local S=1552 id=b7bc0fbbb6549c6180720f29a9598c22@mydomain.tld T="Contact Form: (DEAL) Get cheap nike shoes!" for info@mydomain.tld 2014-10-11 17:32:13 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Xd4Gi-0001hc-9d 2014-10-11 17:32:13 1Xd4Gi-0001hc-9d From: header (rewritten was: [nicenikies4u@gmail.com], actual sender is not the same system user) original=[nicenikies4u@gmail.com] actual_sender=[zenithm@magi.my2nddomain.tld] 2014-10-11 17:32:13 1Xd4Gi-0001hc-9d SMTP connection outbound 1413063133 1Xd4Gi-0001hc-9d mydomain.tld info@mydomain.tld 2014-10-11 17:32:13 1Xd4Gi-0001hc-9d => info@mydomain.tld R=lookuphost T=remote_smtp H=aspmx.l.google.com [64.233.171.27] X=UNKNOWN:ECDHE-RSA-AES128-GCM-SHA256:128 C="250 2.0.0 OK 1413063133 88si17722400qgj.60 - gsmtp" 2014-10-11 17:32:13 1Xd4Gi-0001hc-9d Completed

ghost commented 10 years ago

Hello,

Have you enabled captcha for the contact form?

JonTheWong commented 10 years ago

I did not have it enabled, i was looking into techniques like http://nfriedly.com/techblog/2009/11/how-to-build-a-spam-free-contact-forms-without-captchas/

The only problem i have with the default captcha is that its enforced by default in domain lookups also. i know i could disable it via theme, but i'd love a better solution then captchas.

ghost commented 10 years ago

This is a WHMCS specific thing and is not related to theme. I'm sure you can add your own custom field to the form itself, but i'm not sure if your allowed to interact with how the form is processed and i cannot parse the fields and throw the form away if a specific field is filled out.

JonTheWong commented 10 years ago

ok perfect, just wanted to verify that the issue is not theme related.

cheers.