Spam via sendmessage.php?

**Wayne Luke** · Mon 4 May '09, 2:27pm

Well sendmessage.php is the contact form and doesn't require a username or password to use. It appears you have a modification that sends a copy of the message to the user and that is what bounced. The original would have went to whatever email you have set up for email contact.

I don't know what the file ezbounce.php is. That isn't a vBulletin file.

**raywjohnson** · Mon 4 May '09, 2:45pm

Originally posted by Wayne Luke

Well sendmessage.php is the contact form and doesn't require a username or password to use.

I know this. It is sending to an email address that I have not setup for it to send to. It should only send to one of two email addresses (I would receive the email from either).

Originally posted by Wayne Luke

It appears you have a modification that sends a copy of the message to the user and that is what bounced.

I do not have a modification that does this.

Originally posted by Wayne Luke

The original would have went to whatever email you have set up for email contact.

I did not receive any original. The headers of the email show: To: [email protected]

The AdminCP -> vBulletin Options -> Site Name / URL / Contact Details -> Contact Us Options setting has only one email address. I would receive email sent to that address, as well as the default "webmaster" address. I did not receive the original. This email was somehow sent to [email protected]. That is the problem.

Originally posted by Wayne Luke

I don't know what the file ezbounce.php is. That isn't a vBulletin file.

EZ Bounce is a mod. It adds that header. That way I can just click on it when I get a legit bounce for a real user. It is not the problem. However, since the the userid is missing, it shows that the email is being send from a guest/not logged in user. Again, how are they making it send to an arbitrary email address?

--RayJ

PS: I have not ruled out that this is a clever spoof email, designed to look like it was sent from our sendmessage.php script. But, the headers indicate that it was.

**peterska2** · Mon 4 May '09, 3:01pm

AdminCP > Usergroups > Usergroup Manager > Unregistered/Not Logged in > Edit Usergroup > Can Use Email to Friend > No

AdminCP > Usergroups > Usergroup Manager > Unregistered/Not Logged in > Edit Usergroup > Can Email Members > No

**raywjohnson** · Mon 4 May '09, 3:09pm

Solved

Thanks! That was the problem!

--RayJ

**raywjohnson** · Mon 4 May '09, 3:18pm

RATS! Maybe not solved...

I checked the wrong user group..

When I did check these groups:

(COPPA) Users Awaiting Moderation
Unregistered / Not Logged In
Users Awaiting Email Confirmation

they all have:

Can Use Email to Friend
Can Email Members

set to No.

Hmmm...

--RayJ

**raywjohnson** · Mon 4 May '09, 3:28pm

I went over the permissions for the Unregistered / Not Logged In group. I changed a few and saved. Then I ran the Rebuild Bitfields tool.

I suspect that something is amiss/corrupt with my usergroup permissions.

I attempted to Send to Friend while not logged in, it just sent me to the login page. So it is working as expected.

--RayJ

**peterska2** · Mon 4 May '09, 4:58pm

The only other place is

AdminCP > vBulletin Options > vBulletin Options > Site Name / URL / Contact Details >
Allow Unregistered Users to use 'Contact Us'

**raywjohnson** · Mon 4 May '09, 6:53pm

Thanks.

I need to keep that one available for various reasons. I will monitor this for now. I may work on a plugin to add the IP address, referrer, etc to the headers. Might help me track down the problem.

--RayJ

**raywjohnson** · Fri 8 May '09, 6:45pm

I think I found the problem. It is not the sendmessage.php/Contact Us script/page that is the problem. It is: blog.php?do=sendtofriend that is open to abuse. I have not yet found a setting to disable that.

Also, I have the email log activated (and working), but it does not log the blog/sendtofriend emails.

--RayJ

**Dan Druff** · Sun 19 Jan '14, 12:20pm

The above is correct. The exploit is in blog.php in the sendtofriend functionality.

Two ways to stop this:

1) You can remove the E-mail to a friend link from the blog_show_entry template. Search for "email" in the template and you will see a fairly obvious vb:if block where this is done.

-or-

2) Go into blog.php and comment out all of the functionality of the "start sendtofriend" routines (there are two of them in vB4).

I did both and solved the issue.

**raywjohnson** · Sun 19 Jan '14, 12:54pm

Yep. Thanks for the reminder. I did that after not being able to find any setting permission to disable it. Thanks!

--RayJ

**alaska_av8r** · Sun 12 Oct '14, 4:41pm

Can you guys be a bit more specific on what I need to do in Blog.php to stop this:

(2) Go into blog.php and comment out all of the functionality of the "start sendtofriend" routines (there are two of them in vB4 ----- what text am I specifically looking for to comment out????

well I tried to figure out exactly what to remove from blog_show_entry template and couldn't figure that one out either, could you point me to the specific language there as well. (sorry I am not that programming literate)

The spammers have been hammering my website and I need to disable this. I have all usergroup permissions to email etc turned off.

thank you.

**raywjohnson** · Mon 13 Oct '14, 6:04pm

Greetings alaska_av8r,

I am traveling out of the country until after the 29th of October. I will be able to guide you after that. Sorry!

--RayJ

**alaska_av8r** · Tue 14 Oct '14, 5:06pm

Thank you RayJ, have safe and fun travels, I will be looking forward to hearing from you since I still cannot figure it out.

vBulletin 3 End of Life

Spam via sendmessage.php?

Spam via sendmessage.php?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics