68classifieds being used to send SPAM?

Hello,

We're a webhost and one of our clients is using your software.

I am posting in behalf of him since he doesn't speak english. Anyways, we found out that there has been e-mails sent to AOL.com users from 68classifieds or so it seems.

Here it is the info:

Return-path: <[email protected]>
Received: from vendas by server.wecontrol.com with local (Exim 4.52)
id 1GidCs-0005Cm-Pp; Fri, 10 Nov 2006 14:42:34 -0600
To: [email protected]
Subject: Peticion de contacto.
Date: Fri, 10 Nov 2006 14:42:34 -0600
From: "[email protected]" <Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-Mailer: AOL 3.0 for Mac sub 84
Subject: Re: hi
Message-Id: <[email protected]>

If you're looking to lose weight quickly and KEEP it off, look no further..=
diet fads and chemicals can be dangerous, and almost never work as you exp=
ect them to. Hoodia, however, has the weight of scientific studies, trials =
and tests behind it, and simply WORKS, in that it has been proven to cause =
the user to eat far less on a daily basis. Its a simple fact that when you =
eat less, you lose weight, and thats the logic behind Hoodia.. over 95% of =
users eat less, and report immediate weight loss within the first week of u=
sage, and many lose between 5-10 pounds within the first two weeks (some ex=
ceptional cases have lost far more).

<A HREF=3Dhttp://www.adezzedr.com > Receive a completely free bottle, and m=
ore information </A>







d1db5020883da1cce9e41025df0eac22
.>
Message-ID: <[email protected] s>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"

Nombre: [email protected]
Email: Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-Mailer: AOL 3.0 for Mac sub 84
Subject: Re: hi
bcc: [email protected]


I don't know what version he is running, I would have found it in the .php files but they are Ioncube encoded.

Have there been any problems like this in the past with 68classifields, in previous versions maybe?

How can I tell which version he is using? (I don't have access to administrator) to the files and to view the source code of the index page generated by the website (already checked HTML headers and no info there).

Thanks
Francisco
www.NavigatorIS.net

Wooops!

I think I forgot to rename one of the customer's email address from my original post.

Can an admin please remove the original address @yahoo.com?

Thank you.

[Blair]

This has been addressed in http://www.68classifieds.com/issues/...md=view&id=131

We will be making the designer files available later today.

Thanks-

[SkGold]

Blair, you said there:

Quote:

Open the file contact.php and go to line 65 which should have:
$from = $_POST["sender"];

Below that add:
$from = urldecode($from);
if (eregi("\r",$from) || eregi("\n",$from))
{
die("Why ?? ");
}

I can�t find $from = $_POST["sender"]; in contact.php

[Chaslie]

Quote:

I can’t find $from = $_POST["sender"]; in contact.php

I can also confirm that.

[juven14]

Here is the code I'm using in includes/functions.php:

PHP Code:

//filter email headers and body
function safeMail($value)
{
    $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i", '/%0A/i', '/%0d/i', '/\n/i', '/\r/i', '/\[lb\]/i', '/x015/i', '/x012/i');
    $return = preg_replace($find, "**spam attempt removed**", $value);
    return $return;
} 


Then in contact.php:

PHP Code:

//data has been filled
$id = (int)@$_POST['ownerid'];
$vehicle = (int)@$_POST['listingid'];
$name=safeStripSlashes(trim($_POST['name']));
$from=safeStripSlashes(trim($_POST['email']));
$comments=safeStripSlashes(trim($_POST['message']));

            
$name = safeMail($name);
$from = safeMail($from);
$comments = safeMail($comments); 


Also in contactus.php:

PHP Code:

//data has been filled
$name=safeStripSlashes(trim($_POST['name']));
$email=safeStripSlashes(trim($_POST['email']));
$comments=safeStripSlashes(trim($_POST['message']));
                    
$name = safeMail($name);
$email = safeMail($email);
$comments = safeMail($comments); 


Of course this allows the email to go through but with all the spam stuff replaced. The person who gets the mail will be aware that somebody attempted to spam via the form. I like the idea of just preventing the mail, but I think it might be better to ban them on the spot or generate an email to the admin so they can take action.

[Chaslie]

Thanks John.

[Chad]

In 3.1.5a does it allow the spam to go through or does it block it? I'd rather not even let the person know someone attempted to spam them from my site.

[Lhotch]

Quote:

Originally Posted by Chad

In 3.1.5a does it allow the spam to go through or does it block it? I'd rather not even let the person know someone attempted to spam them from my site.

What happens is that people abuse mail forms by using them to send a message to the intended recipient and by appending other information they can also attempt to have it sent to additional people thereby abusing your mail server to spam other people.

There is no real way for the script to know if the mail is spam or not so unless im mistaken the mail goes through to the intended recipient, the new changes just make sure that the form isnt abused and mail wont be sent to anyone else.