2.1.19-Spammers sending mail using process_contacts.inc.php

[cbwatkins]

Version: 2.1.19

Installation URL: domrascup.com

Is your installation hosted on brewcompetition.com or brewcomp.com? No

Description of Issue: Spammers are sending email using our webhost account using the processs_contacts.inc.php file. This was identified in the email headers: X-PHP-Originating-Script: 49727:process_contacts.inc.php

How do we secure the installation to prohibit spammers from sending email using the BCOE&M scripts that we installed?

For enhancements, please prepend "Enhancement - " to the title. For issues/bugs, please prepend the BCOE&M version number the title.

[geoffhumphrey]

Hello @cbwatkins - thanks for reporting.

I just sent an email via your installation's contact form to see what headers are being returned by the installation. It looks like you have reCAPTCHA configured - without that spammer bots can easily use the contact form on your site to flood your inbox. With reCAPTCHA, it's a deterrent, but won't stop actual spammers from utilizing the contact form.

In looking at the code for contact processing, I cannot see a way for spammers to directly access that script without being authenticated. I'm investigating further, but haven't yet found a way to exploit the file by directly accessing the script.

[cbwatkins]

I just turned recaptcha on AFTER this event occurred. With recaptcha turned off, does this explain how they would have sent spam with our script?

Regards, Chris Watkins

On Mon, Sep 7, 2020 at 11:03 AM Geoff Humphrey notifications@github.com wrote:

Hello @cbwatkins https://github.com/cbwatkins - thanks for reporting.

I just sent an email via your installation's contact form to see what headers are being returned by the installation. It looks like you have reCAPTCHA configured - without that spammer bots can easily use the contact form on your site to flood your inbox. With reCAPTCHA, it's a deterrent, but won't stop actual spammers from utilizing the contact form.

In looking at the code for contact processing, I cannot see a way for spammers to directly access that script without being authenticated. I'm investigating further, but haven't yet found a way to exploit the file by directly accessing the script.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/geoffhumphrey/brewcompetitiononlineentry/issues/1164#issuecomment-688380084, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIOKPCDB6ST4SGNDK73HZKTSETY3DANCNFSM4Q3ZLHOQ .

[geoffhumphrey]

Yes, that absolutely explains it. Without reCAPTCHA, automated spambots trolling the internet can use contact forms to send spam email. CAPTCHA and reCAPTCHA were developed specifically to stop them by adding a form element that has to be interacted with by a human and cannot be "duped" by an automatic script.

With reCAPTCHA enabled, you've eliminated the bots, but that won't stop a determined human from using the form to send spam if they care to take the time. These are very few and far between, however. I get a few from Russia every once in a while that are amusing.