Spam abusing/bypassing the {contact_form} tag

[quethiock]

Hi,

I posted the following in "The Lounge" as I thought that was the appropriate place but got no answer so am trying here now.

I have a site running with the following details:-

CMS 1.4.1
CMS Mailer 1.73.14
PHPIDS 1.4.7
Album 0.9.3
Captcha 0.3.1
VisitorStats 0.1.1

and am using the built-in tag {contact_form} in a "Contact Us" page.

That worked well, but we were getting spam through the page (looking in the logs, you could see the IP address scanning the whole Menu system, each page in turn without a referring URL, usually for less than a second per page until it got to the "Contact Us" page, then it called it again, and left the site.  The times and IP address used matched the spam exactly.

I recently added the modules "Captcha" and "PHPIDS" but the spam messages seem to be bypassing the Captcha routine but being caught by PHPIDS.  The IP Address is using the "POST" command and the advice email from PHPIDS says:

- - - - - - - - - - - - - - - - -
The following attack has been detected by PHPIDS

IP: xx.xx.xxx.xxx
Date: 2008-08-24T23:09:15+01:00
Impact: 24
Affected tags: xss csrf sqli id lfi
Affected parameters: POST.message=Extraordinarity%3A+%2C+%3Ca+href%3D%22http%3A%2F%2.....


Request URI: %2Findex.php%3Fpage%3Dcontact
- - - - - - - - - - - - - - - -

Yet if I try the "Contact Us" page and not enter the CAPTCHA text, my message gets rejected by the "Contact Us" page.  If I try again, and this time enter the CAPTCHA text, my message (the content of which was pasted from a previous rejected spam message) gets through without being rejected by PHPIDS.

So, it looks like the spammers are somehow abusing the {contact_form} tag by bypassing the CAPTCHA routine.  How?  That's my question?  I want to stop the b***ards in the first place, not block them after they have posted their message with PHPIDS (which it seems to do quite well)!

Any help/explanation would be much appreciated.  I really like CMSMS but this is getting me down.

Thanks

Quethiock

[alby]

and am using the built-in tag {contact_form} in a "Contact Us" page.

contact_form plugin is DEPRECATED
Try to use FormBuilder that have contact form for default

Alby

[quethiock]

Thanks Alby for that suggestion

I installed FormBuilder 0.5.4, re-wrote the Contact Us page submission for to suit .... and still getting these spam attempts.  6 over the last 24 hours. 

OK, not big numbers, but the number is increasing steadily.  I don't know whether their email SPAM is being successful or not (I suspect not but don't know that).  PHPIDS seems to be detecting and blocking these attempts so perhaps I just ignore the PHPIDS warnings.

What I think I will do is turn off PHPIDS and see what comes through.  I now know what to look for in the logs so will see when a spam attempt is made and if it gets through anywhere.  That will let me see if PHPIDS is blocking the attempts.  If so, I can raise the email warning threshold and try and ignore the problem.

If anybody knows how they are trying to distribute the spam message through the Contact Form, I would love to know please.

I'm using CMS 1.4.1 and CMS Mailer 1.73.14, as well as FormBuilder 0.5.4

Regards and thanks.

Quethiock

[alby]

I installed FormBuilder 0.5.4, re-wrote the Contact Us page submission for to suit .... and still getting these spam attempts.  6 over the last 24 hours. 

Very strange because I think that the fields name are differents.
PHPIDS blocking that but maybe it doesn't pass in any case

Alby