I have discovered the hard way that there are two modules, that if not configured properly, can turn your CMS Made Simple sites into an effective SPAM bot.
1. Formbuilder Email & Send Copy
In Formbuilder if you configure a form to send a copy of the email to the person filling out the form (either always, or if user checks the box) this allows a spambot to post your form with the victim's email address in the "My Email" field and the spam message in the message field.
If you use a contact form like this without CAPTCHA you will probably find your mailserver becomes blacklisted for sending spam. This will affect all of the sites using this mail server.
Solution, either use CAPTCHA module with this form, or another form of spam checking, OR set the "send copy" value to "NEVER".
2. CGFeedback Module
This module allows the person submitted a comment to check a box that says "notify me of additional comments on this thread". This is potentially much worse than the Formbuilder SPAM trick, because the spammer can use a different email address for each comment, and a different spam message for each comment. This effectively turns the comments into a mailing list, so each new comment is sent to all the email addresses in the comment list above it.
Unfortunately, we don't currently have "Unsubscribe" ability for CGFeedback comments after the person has checked "notify me of new comments".
Again, use CAPTCHA and/or AKISMET or another SPAM filter module or else you'll find your server blacklisted.
There are probably other modules with similar vulnerabilities. Just be aware that anytime you offer the user the option to receive additional content or feedback, you are also potentially enabling spammers to send them content.
Avoid Letting Your CMSMS Site be used to send spam
-
replytomk3
Re: Avoid Letting Your CMSMS Site be used to send spam
Thank you for letting us know. People should be aware. Unfortunately, this will apparently continue. (My suggestion to work on this apparently was not effective)
Last edited by replytomk3 on Sat Aug 14, 2010 3:33 am, edited 1 time in total.
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
Re: Avoid Letting Your CMSMS Site be used to send spam
These are not bugs... infact they're all user requested features with very valid uses.replytomk3 wrote: Very good! Do file this as bug reports for both modules.
With great power comes great responsibility.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
replytomk3
Re: Avoid Letting Your CMSMS Site be used to send spam
If I'm not mistaken, Captcha is not installed by default in core, and modules are not setup by default to use it (or complain lack thereof).
-
kendo451
Re: Avoid Letting Your CMSMS Site be used to send spam
It still isn't a bug. It's just a "make sure you know what you're doing" kind of thing.
CMS Made Simple isn't for people who want to live in a padded room where they cannot possibly hurt themselves. It's a tool for developers who prefer to have the option to do it the way they want to.
CMS Made Simple isn't for people who want to live in a padded room where they cannot possibly hurt themselves. It's a tool for developers who prefer to have the option to do it the way they want to.
