Remember me

Security issue

1 year 4 days ago #1

  • Christof's Avatar
  • Christof
  • Posts: 54
Hi. It seems as if there is a security issue with Baforms. An outstanding number of SPAM is currently being sent using the contact forms of my websites. Astonishingly disabling the form has no effect and SPAM is not stopping. I need to disable the component. Please help! Kind regards Chris

1 year 4 days ago #2

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Hello,
Thank you for contacting us!

To protect against spam, you can use captcha or honey pot

Best Regards,
Vyacheslav, Balbooa Support Team

1 year 3 days ago #3

  • Christof's Avatar
  • Christof
  • Posts: 54
All my forms have the option «honeypot» enabled. But now it seems as if someone has found a way to bypass the honeypot and send abusive mails despite this SPAM protection. It began about a week ago with the contact form of one of my client's websites. He received about 1 SPAM mail per second (!). I disabled the form in question, but we kept receiving thousands of SPAM mails all the same. There seems to be a way to automatically send Balbooa forms despite the fact that they are disabled. Only when I finally disabled the Baforms component, spamming stopped.

After a while, a second and a third and even more customers called me and reported being spammed by their own contact form. The message always contains Chinese characters.

What do you suggest? Might an enhanced version of the honeypot method resolve the issue?

Thank you and kind regards
Chris

1 year 3 days ago #4

  • Christof's Avatar
  • Christof
  • Posts: 54
The issue is becoming worse now. I enabled both component and form in order to find out whether the spook is over now. It is not. The spammer is now filling the database directly. No email is being sent any more. But within an hour, the list of emails in the database has increased by more than 1000. See screenshot...

1 year 3 days ago #5

  • Christof's Avatar
  • Christof
  • Posts: 54
The issue is once more becoming worse. I added the reCAPTCHA option, but this does not stop incoming form submissions. We are being flooded. Please help!

1 year 2 days ago #6

  • Christof's Avatar
  • Christof
  • Posts: 54
The spammer has now extended his activities to my own website. I get my contact form every few seconds. In my Server log there are thounsands of entries like this:
2023-07-15 14:06:59 Error 134.122.189.60 404 POST /index.php?option=com_baforms HTTP/1.0

The reason for error 404 is: I disabled Baforms component.

1 year 1 day ago #7

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Hello,

The problem is not related to the form component,
because the forms are engaged in collecting data,
Joomla is directly involved in sending

Best Regards,
Vyacheslav, Balbooa Support Team

1 year 1 day ago #8

  • Christof's Avatar
  • Christof
  • Posts: 54
I had a very bad weekend with thousands and thousands of SPAM mails on the majority of my websites. You are claiming that this issue is not related to the form component, which (sorry to say) I cannot believe. Reason:

- Disabling Joomla's «Send mail» feature stops sending these mails, but does NOT stop filling the database table yflhs_baforms_submissions with thousands of entries.

- Disabling the contact form itself does NOT stop these SPAM mails. It seems as if the spammer is using a direct call of the component.

- Disabling the Baforms component, stops both: sending these mails and filling the database.

- In the Server log, we find thousands of entries like this «POST /index.php?option=com_baforms HTTP/1.0»

- Websites with Joomla's default contact form are not affected

- The «Honeypot» option is enabled, but the spammer seems to be able to bypass it

- In addition to that, we tried the «ReCaptcha» option, but the spammer seems to be able to bypass it as well

For me it seems to be obvious that we have a vulnerability in the component, which is exploited by the spammer.

1 year 1 day ago #9

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Send us a link to page with problem.
Send us FTP access and Joomla admin access via our contact form.
support.balbooa.com/contact-us

Regards,
Vyacheslav, Balbooa.com

1 year 1 day ago #10

  • Christof's Avatar
  • Christof
  • Posts: 54
I sent your credentials right now. Please keep in mind, that we have blocked the IP range that was used in the .htaccess file. That is why no SPAM is being sent right now. Feel free to remove the blocked IP range from the .htaccess file temporarily and you will be able to watch one incoming mail after the other.

1 year 1 day ago #11

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
We will inform you as soon as we find out the reason

Best Regards,
Vyacheslav, Balbooa Support Team

11 months 4 weeks ago #12

  • Christof's Avatar
  • Christof
  • Posts: 54
You added an improved protection on one of my websites. This seems to be successful. I have a number of other websites that are increasingly attacked. One of them had ~30'000 emails within two days. How can I apply the improved protection to other websites? Will there be an update of the component?

Thank you and kind regards
Chris

11 months 4 weeks ago #13

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
We are currently working on improving the forms
We made changes to the file form.php (\com_baforms\models\form.php)

You can download the file with changes here
drive.google.com/file/d/1NLWWf7IkOwvQVrH...YKJ/view?usp=sharing

Regards,
Vyacheslav, Balbooa.com

11 months 3 weeks ago #14

  • Christof's Avatar
  • Christof
  • Posts: 54
Did I understand correctly that the improvement is only effective if a captcha is used?

11 months 3 weeks ago #15

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
With changes in this file, the improvement is only effective when using captcha

Best Regards,
Vyacheslav, Balbooa Support Team

11 months 2 weeks ago #16

  • Christof's Avatar
  • Christof
  • Posts: 54
Copying the file "components/com_baforms/models/form.php" manually is a bit time-consuming if you maintain as many websites as I do. Installing a new version of Baforms would be much easier. Apart from that, a captcha has to be registered and all forms have to be adjusted manually. The effort is enormous. It would be very desirable if the Honeypot feature could be improved. When can this update be expected? By the way: the extent of the attacks is huge with us. SPAM mails come in every second, which amounts to several thousand per day.

11 months 2 weeks ago #17

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Most likely the update will be available within 7-10 days

Regards,
Vyacheslav, Balbooa.com

11 months 6 days ago #18

  • Christof's Avatar
  • Christof
  • Posts: 54
Thank you for Baforms 2.2.0 and Baforms 2.2.0.1. Unfortunately after upgrading to Baforms 2.2.0 there are no emails being sent at all. The frontend is behaving quite normal. There is the familiar popup announcing that the form has been sent. But neither the administrator nor the customer receives it. And there is no database entry in the «submissions» section.

For a couple of days, we had the SPAM protection option reCAPTCHA enabled. But we had to disable it because Google sent us an invoice for a four-digit amount due to an overuse of the reCAPTCHA service. Maybe there is a connection between disabling Joomla's reCAPTCHA plugin and this issue?

In Joomla Configuration sending test email works fine. The SPAM protection options in the form are
- reCAPTCHA = none
- Honeypot = enabled



Thank you and kind regards
Chris

11 months 4 days ago #19

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Because you turned off the captcha in Joomla settings,
and in the button setting it is enabled,

You need to turn on the captcha in the joomla settings
and then select non in the button settings
and then turn off the captcha in the jomla settings

Best Regards,
Vyacheslav, Balbooa Support Team

11 months 4 days ago #20

  • Christof's Avatar
  • Christof
  • Posts: 54
I can confirm that it works now. Following the sequence is crucial:
1. Disable reCAPTCHA in the SPAM protection option of the form
2. Disable reCAPTCHA in Joomla's Global configuration

I would not have thought of this idea because reCAPTCHA was automatically disabled in the SPAM protection option of the form after disabling it in Joomla's Global configuration.

Thank you fpr your help.

11 months 4 days ago #21

  • Viacheslav's Avatar
  • Viacheslav
  • Posts: 28858
Let us know if you need more assistance!

Best Regards,
Vyacheslav, Balbooa Support Team

11 months 2 days ago #22

  • Christof's Avatar
  • Christof
  • Posts: 54
Hi

this issue is becoming worse. It is a nightmare. If we do not find a suitable solution soon, I am unable to use Baforms any more.

Baforms with option «Honeypot» enabled:
This is completely useless. We are being flooded with SPAM (1 per second).

Baforms with option «Google reCAPTCHA» enabled:
This works theoretically but is unusable in practice. After 1 week Google sent me an invoice for a four-digit amount due to an overuse of the reCAPTCHA service. I am not in a position to finance this service. That would drive me to ruin.

I think we do need an enhancement for the honeypot option. I guess that the spammer has found the honeypot fieldname and has programmed his bot to avoid filling this field. Maybe it would be a solution that the honeypot-fieldname automatically changes after each use.

Most important question for the moment:

- I disabled the contact form that is being abused by the spammer. This does NOT stop these emails.
- I deleted the contact form that is being abused by the spammer. This does NOT stop these emails.

This is absolutely weird and incomprehensive. How can a non existing form be abused???

Thank you and kind regards
Chris

11 months 20 hours ago #23

  • Christof's Avatar
  • Christof
  • Posts: 54
It seems obvious that both a disabled and a deleted form can be used for sending email, as long as the relevant URL is known. As soon as the form is deleted from the trashed items, spamming stops. This makes it comprehensible that it is useless to disable the article that contains [forms ID=1]. This will not stop spamming.

Several of my customers have done away with the contact form and replaced it by an ordinary email link in order to allow their clients to contact them. For any other use case, please provide a solution and make Baforms more SPAM resistent. Some of my hostings have been suspended temporarily by the hosting provider because of abusing the mail service. It is a disaster.

11 months 20 hours ago #24

  • Artem's Avatar
  • Artem
  • Posts: 11342
Christof,

Did you test hCAPCTHA? :)
It's free



Regards,
Artem, Balbooa.com

11 months 20 hours ago #25

  • Christof's Avatar
  • Christof
  • Posts: 54
hcaptcha is free up to 1 Mio calls per month. According to my experience with Google reCAPTCHA, I would far exceed this number. I appreciate the honeypot option very much. I am not an expert but I suppose that the honeypot could be refined?!

11 months 4 hours ago #26

  • Artem's Avatar
  • Artem
  • Posts: 11342
Christof,

Let's be real. Honeypot can't prevent serious attacks. That's why such services as hCAPTCHA and reCAPTCHA is popular, they specialize in such things as spam protection.

Also, as a minimum, your hosting protection should prevent bot attacks on the site. As it does Siteground on our website.

So, I can recommend you next:
1. Enable hCAPTCHA
2. Enable Cloudflare: www.cloudflare.com/

Regards,
Artem, Balbooa.com
Powered by Kunena Forum