spam being sent through Email To Friend - can't stop it

[doob]

I've disabled Email to Friend for all usergroups and spam is still being sent out from our server.

I am getting bounce backs on undeliverable mail, otherwise I wouldn't even know it was going on. Here's the message being sent out. Please help if you have any experience with this. Thanks!

MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Date: Wed, 10 Oct 2012 20:30:48 -0700

tricia casellini,

This is a message from Sarah4443 ( mailto: ) from the Travelers411 Travel Forums - Travel Deals - Travel Radio Shows. Ask Questions Get Answers! ( http://www.travelers411.com/forums/ ).

The message is as follows:

I made $89.99 last week by filling out 7 surveys!
They only took 12 mins each
Check it out http://removed by doob

[Brandon Sheley]

might want to edit out that last link, and don't click it

[doob]

Thanks for the suggestion, I changed the spammer's link to "removed by doob".

I'm guessing that other VB boards are being hit by the same spam since its obviously a whole in the forum's security.

I'd love to talk with other 3.8 ers to see what they've done to protect against this. My guess is its an sql injection of some sort as I don't think the messages are even being sent by a registered user.

[ForceHSS]

there is a few place in user groups to turn it off make sure you get them all also turn off contact us for guests

[doob]

In AdminCP -> Usergroups ->Usergroup Manager - Usergroup what besides "Can Use Email to Friend" should be turned off?

Is contact-us a likely culprit? Unlike "Email to a Friend", "Contact-Us" is hardwired to only send to a specific email.

[WEBDosser]

it's not possible by just turning everything off, i had this a few weeks ago and i was getting hundreds+++ of emails bounced back just like yours..

It is a hack you have installed or a pluggin but i don't know which one as i had lost it with trying to stop them i just took the forum down deleted ALL the files and the database and started again.

[doob]

No products installed and only a few hand coded plugins none of which immediately looks like it would have anything to do with the mail system.

[kh99]

I don't know if it's a security hole or what, but I think the option you want to set in the usergroup manager is "Can Email Members" in the General Permissions section. "Can Use Email to Friend" has to do with the "Email this page" link, according to the help for that option.

If you still have the problem you might try looking at your web server logs. If someone's using a security hole to spam all users, it seems like it should be easy to spot.

[doob]

Believe I ticked off "Can Email Members' for all groups too, but will double check in the morning.

Based on the mailer-daemon bounce backs I looked at none of the recipients or senders were members. I only looked at a statistically valid sample though, not all of them (there were over a thousand at least).

That's what made me think it was a hole in the Email to a Friend. I'll have to do more research either way, but please keep the suggestions coming.

[kh99]

Quote:

Originally Posted by doob

Based on the mailer-daemon bounce backs I looked at none of the recipients or senders were members.

Well, I guess what I mean is that if many emails are being sent out, then it should show up in the logs as many requests to a single file from the same ip, so you might be able to spot that and see which php file is being used.