spam being sent through Email To Friend - can't stop it
 

I've disabled Email to Friend for all usergroups and spam is still being sent out from our server.

I am getting bounce backs on undeliverable mail, otherwise I wouldn't even know it was going on. Here's the message being sent out. Please help if you have any experience with this. Thanks!

MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Date: Wed, 10 Oct 2012 20:30:48 -0700

tricia casellini,

This is a message from Sarah4443 ( mailto: ) from the Travelers411 Travel Forums - Travel Deals - Travel Radio Shows. Ask Questions Get Answers! ( http://www.travelers411.com/forums/ ).

The message is as follows:

I made $89.99 last week by filling out 7 surveys!
They only took 12 mins each :)
Check it out http://removed by doob

might want to edit out that last link, and don't click it

Thanks for the suggestion, I changed the spammer's link to "removed by doob".

I'm guessing that other VB boards are being hit by the same spam since its obviously a whole in the forum's security.

I'd love to talk with other 3.8 ers to see what they've done to protect against this. My guess is its an sql injection of some sort as I don't think the messages are even being sent by a registered user.

there is a few place in user groups to turn it off make sure you get them all also turn off contact us for guests

In AdminCP -> Usergroups ->Usergroup Manager - Usergroup what besides "Can Use Email to Friend" should be turned off?

Is contact-us a likely culprit? Unlike "Email to a Friend", "Contact-Us" is hardwired to only send to a specific email.

it's not possible by just turning everything off, i had this a few weeks ago and i was getting hundreds+++ of emails bounced back just like yours..

It is a hack you have installed or a pluggin but i don't know which one as i had lost it with trying to stop them i just took the forum down deleted ALL the files and the database and started again.

No products installed and only a few hand coded plugins none of which immediately looks like it would have anything to do with the mail system.

I don't know if it's a security hole or what, but I think the option you want to set in the usergroup manager is "Can Email Members" in the General Permissions section. "Can Use Email to Friend" has to do with the "Email this page" link, according to the help for that option.

If you still have the problem you might try looking at your web server logs. If someone's using a security hole to spam all users, it seems like it should be easy to spot.

Believe I ticked off "Can Email Members' for all groups too, but will double check in the morning.

Based on the mailer-daemon bounce backs I looked at none of the recipients or senders were members. I only looked at a statistically valid sample though, not all of them (there were over a thousand at least).

That's what made me think it was a hole in the Email to a Friend. I'll have to do more research either way, but please keep the suggestions coming.

Well, I guess what I mean is that if many emails are being sent out, then it should show up in the logs as many requests to a single file from the same ip, so you might be able to spot that and see which php file is being used.

Like i said you have a compromised file somewhere..
I tried all this:

Upload all new vbulletin files & clean up the database - no effect
Ok so then i thought i will htaccess the forum dir (password protect it) nope still loads of emails bouncing back.

Right i will htaccess the whole website, still nope still emails

Ok then lets close the website from inside admincp right? .. wrong still loads of emails.

All righty then i will remove all hacks and plungins even delete their files.. Nope! still emails

OK disable plugins in the config.php file.. nope nothing worked.

So then i started to think maybe it was my server so checked all the setting and found nothing wrong with the server, maybe a few brute force attacks but that was all..

By this time his email account on his website was being filled that much that i got server admin emails warning me that that user has sent umteen thousand and was reaching their limit.

So because it was for a friend and he was not bothered about the few posts on there he said i could delete and he would start a fresh.. WOW no more emails..

Hope it helps..

Unfortunately a re-install isn't an option.

I'm working my way through logs but off the top don't see anything related to sendmessage.php or other obvious vbulletin php.

I do see a fair number of errors that look like the following, but googling suggests are comment spam, not php mail spam.

forums/index.php+++++++++++++++++++++++++++++++++++++Resu lt:+\xed\xe5+\xed\xe0\xf8\xeb\xee\xf1\xfc+\xf4\xee \xf0\xec\xfb+\xe4\xeb\xff+\xee\xf2\xef\xf0\xe0\xe2 \xea\xe8;+Result:+\xed\xe5+\xed\xe0\xf8\xeb\xee\xf 1\xfc+\xf4\xee\xf0\xec\xfb+\xe4\xeb\xff+\xee\xf2\x ef\xf0\xe0\xe2\xea\xe8;, referer: http://URLRemovedByDoob.com/index.ph...0%E0%E2%EA%E8;

You could also try looking through your plugins to see if you notice any that you don't recognize.

I'm pretty sure its not a plugin problem.

I just ticked off "Allow Users to Email Other Members" under AdminCP->VbulletinUptions->Email Options.

I'll have to wait and see if that has any effect. Next step probably to disable Email Functions on that same page and switch to SMTP and see if that has any effect.

May also be forced, belatedly, to upgrade to current patch, however in googling around this seems to affect folks running versions well into the 4.1.x strata.

You may be right, I don't know. But I have seen plugins that somehow got added that allowed hackers to do anything from any page by including parameters (and posted parameters don't go in the logs so you wouldn't see it there).

Edit: I should add that I don't have a lot of experienced with hacked sites or anything, I've just seen a few posts about it on the forum.

I just ticked off "Enable Email features?" under Email Options as the next step in testing. This really isn't how I saw my day going.

Have you checked for suspect files under admincp>maintainance>diagnostics to make sure all your core files are correct?

Thanks for that sugg. I already checked. The only discrepencies are core files I edited myself.

So no files that you don't recognise then? check files outside of your forum root, you may have a file or two you don't recognise. Your server logs should show which file has been sending mail or accessed a hell of a lot.

Do you have "Use Mailqueue System" set to on? Not that that's a problem of course, but if you had lots of emails queued then the logs showing what happened could be a long way back, and also disabling the options might not immediately stop mail from going out (I don't know if turning off email features clears the queue, but there's no check for that when mail from the queue is being sent out). Also I don't know of there's a way in vb3 to see what's in the queue from the adminCP, but you could look at the mailqueue table directly.

Use Mailqueue System was set to Yes. It looks like bounce backs are comeing in about 1 second after the mail is sent based on the mailer daemon info and the header. It does seem like I'm flooded with bounce backs for a short time, and then there's a gap before the next batch burries my email. I'm still a little unclear on how this function works but it sounds like if I set it to "no" then emails would just go out instantly rather than in some sort of batched delay.

I ticked off "Enable Email features?" and bounce-backs stopped dead. I guess I'll need to wait and see if that's a real indicator or related to the Mailqueue System.

I already disabled in the usergroups Email to a Friend and Email to Members but I like and want the other features so don't look forward to having to rewrite this stuff.

Report Bad Post
'Contact Us' Link
Email a Member
Email this Page to a Friend
New Post Notifications to Members

DO you have vbseo? if so is it up to date?

No VBSEO not installed.

I'm VERY curious to see if the bounce-backs are stopped by ticking off that "Enable Email features?".

I think I'm at an impass and can only "wait and see" now.

Sneeky little bugger's them hackers.. most of mine where from china some from korea and a few from the US, and they don't have to be on your site to do it not even as a guest.

If you have access to the server look for brute force attack logs too..

ohoooo ?

If you turn off email, then yes, they will stop because now your site is sending out NO email at all.

My understanding was that registration emails would still be sent and that there is a potential that the email being sent could be impostering vbulletin based mail.

It does look like the bounce backs have completely stopped so question 1 is if Email to Friend and Email Members is individually disabled in all usergroups can I trust that those functions are truly disabled?

The next question is if any one has found specific holes in the other email functions that I should look at.

You should also consider blocking the stupid-long script at the server level. For Linux, use mod_security, and for Windows use URLScan 3. Some of those injections use common query strings that serve no legitimate purpose.

The "email to friend" function is really nothing more than an open proxy in my opinion, and I'd leave it turned off. Or at best, only enable it for users that have been members longer than "X" amount of days (as in months). That last one would probably require some if/then/else comments custom added into some files, or as a custom plugin. I use things like that to limit access to certain site features.

You could even leverage htaccess/web.config or in-file PHP to block certain /8 or /16 IP ranges, to prevent use of that file. One one of my sites, we've start to block the register.php page from China subnets, because something like 0.01% was legitimate. (An alternative contact form is available for those wrongly blocked, which allows manual account creation.)

@WEBDosser : "and a few from the US" ... and those were likely Chinese users from USA based VPS used as cheap VPN/proxy. Certain hosting subnets should also be blocked. You just have to be diligent about checking server logs, and spotting trends -- and then blocking the bad incoming traffic routes.

You can also limit mail at the mail server itself. cPanel has nice plugins from Config Server, to help with this. And then you can configure the mail server.

If you're on shared hosting -- and therefore have no real server access -- then this would be a good reason/excuse to migrate to a VPS. You simply need more control to block things as you see fit.

Best of luck to you. :)

What exactly do you mean by "stupid long scripts". Are you talking Vbulletin default files or what?

Exploit injections GET/POST with encoded chars in a URL that is hundreds/thousands of chars long.
Stupid long scripts.

You may need a server admin. Good security is difficult to DIY, especially if you're not skilled in that area.

Check your website for open relays:
http://www.mailradar.com/openrelay/