Avoid Letting Your CMSMS Site be used to send spam
Posted: Fri Aug 13, 2010 11:03 pm
I have discovered the hard way that there are two modules, that if not configured properly, can turn your CMS Made Simple sites into an effective SPAM bot.
1. Formbuilder Email & Send Copy
In Formbuilder if you configure a form to send a copy of the email to the person filling out the form (either always, or if user checks the box) this allows a spambot to post your form with the victim's email address in the "My Email" field and the spam message in the message field.
If you use a contact form like this without CAPTCHA you will probably find your mailserver becomes blacklisted for sending spam. This will affect all of the sites using this mail server.
Solution, either use CAPTCHA module with this form, or another form of spam checking, OR set the "send copy" value to "NEVER".
2. CGFeedback Module
This module allows the person submitted a comment to check a box that says "notify me of additional comments on this thread". This is potentially much worse than the Formbuilder SPAM trick, because the spammer can use a different email address for each comment, and a different spam message for each comment. This effectively turns the comments into a mailing list, so each new comment is sent to all the email addresses in the comment list above it.
Unfortunately, we don't currently have "Unsubscribe" ability for CGFeedback comments after the person has checked "notify me of new comments".
Again, use CAPTCHA and/or AKISMET or another SPAM filter module or else you'll find your server blacklisted.
There are probably other modules with similar vulnerabilities. Just be aware that anytime you offer the user the option to receive additional content or feedback, you are also potentially enabling spammers to send them content.
1. Formbuilder Email & Send Copy
In Formbuilder if you configure a form to send a copy of the email to the person filling out the form (either always, or if user checks the box) this allows a spambot to post your form with the victim's email address in the "My Email" field and the spam message in the message field.
If you use a contact form like this without CAPTCHA you will probably find your mailserver becomes blacklisted for sending spam. This will affect all of the sites using this mail server.
Solution, either use CAPTCHA module with this form, or another form of spam checking, OR set the "send copy" value to "NEVER".
2. CGFeedback Module
This module allows the person submitted a comment to check a box that says "notify me of additional comments on this thread". This is potentially much worse than the Formbuilder SPAM trick, because the spammer can use a different email address for each comment, and a different spam message for each comment. This effectively turns the comments into a mailing list, so each new comment is sent to all the email addresses in the comment list above it.
Unfortunately, we don't currently have "Unsubscribe" ability for CGFeedback comments after the person has checked "notify me of new comments".
Again, use CAPTCHA and/or AKISMET or another SPAM filter module or else you'll find your server blacklisted.
There are probably other modules with similar vulnerabilities. Just be aware that anytime you offer the user the option to receive additional content or feedback, you are also potentially enabling spammers to send them content.