Close
dadaIMC Discussion List
Re: [IMC-Tech] Dadaimc sites being exploited, lack of captcha-style verification
Hi,
I noticed this problem on the dadaimc at stlimc.org and have similarly
disabled the emailto.php file.
Likewise, I've discovered another avenue for spam via the "accounts"
module in dada, which is responsible for tracking user logins and
registration. In particular, the page where visitors sign up for new
accounts, i.e. .../mod/accounts/index.php?function=new has no captcha
field, allowing bots to enter arbitrary email address then have the
webserver send registration confirmation messages to that address.
I find this latter exploit more problematic than the emailto feature,
since every dadaimc site out there can likely be exploited as such, and
the only way to prevent it so far is to disable new user registration.
Indeed, I wonder if these spam exploits in dada are a contributing
factor for riseup.net (which hosts several dada imcs) routinely finding
itself on email blacklists.
Since dadaimc development appears to be on hold in lieu of ongoing
discussion among imc-tech community about migrating to a new CMS, could
anyone recommend a workaround to this problem?
John Milton wrote:
> Hi folks:
>
> This may be a well understood issue here, but just in case it's not...
>
> The Indy CMS "DadaIMC" has a feature which allows users to email copies
> of stories to other readers.
>
> Spammers have produced a "bot" which exploits this feature to use the
> site as a spam distribution service by adding spam content to the text
> block of the email that is sent.
>
> If I had not installed countermeasures the server I run, Illich, which
> hosts 7 Dada sites would have been responsible for the distribution of
> over 100,000 spam emails during the last 36 hours.
>
> I can't find a switch in the user interface to switch this feature off,
> nor am I aware of a patch to insure that the email to be sent is not
> spam, so the only thing I was able to come up with was to disable the
> code as follows:
>
> In the current version of Dada, 99.3X, the email function is done by a
> file called "emailto.php" which will be found in the document root
> directory of the site. Replacing that file with something like this
> (with same name and permissions) will disable the feature without
> breaking the software or flooding the error log file:
>
> ----------File follows-----------
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> </head>
> <body>
> Due to abuse by spammers this feature is not available at this time.
> </body>
> </html>
> -----------------------------------
>
> I'd really be interested in any better solution to this issue...
>
--
Ben West
westbywest-AT-riseup.net
savetheinternet.org
-------------
To unsubscribe, send blank email
to dadaIMC-off-AT-lists.dadaimc.org
I noticed this problem on the dadaimc at stlimc.org and have similarly
disabled the emailto.php file.
Likewise, I've discovered another avenue for spam via the "accounts"
module in dada, which is responsible for tracking user logins and
registration. In particular, the page where visitors sign up for new
accounts, i.e. .../mod/accounts/index.php?function=new has no captcha
field, allowing bots to enter arbitrary email address then have the
webserver send registration confirmation messages to that address.
I find this latter exploit more problematic than the emailto feature,
since every dadaimc site out there can likely be exploited as such, and
the only way to prevent it so far is to disable new user registration.
Indeed, I wonder if these spam exploits in dada are a contributing
factor for riseup.net (which hosts several dada imcs) routinely finding
itself on email blacklists.
Since dadaimc development appears to be on hold in lieu of ongoing
discussion among imc-tech community about migrating to a new CMS, could
anyone recommend a workaround to this problem?
John Milton wrote:
> Hi folks:
>
> This may be a well understood issue here, but just in case it's not...
>
> The Indy CMS "DadaIMC" has a feature which allows users to email copies
> of stories to other readers.
>
> Spammers have produced a "bot" which exploits this feature to use the
> site as a spam distribution service by adding spam content to the text
> block of the email that is sent.
>
> If I had not installed countermeasures the server I run, Illich, which
> hosts 7 Dada sites would have been responsible for the distribution of
> over 100,000 spam emails during the last 36 hours.
>
> I can't find a switch in the user interface to switch this feature off,
> nor am I aware of a patch to insure that the email to be sent is not
> spam, so the only thing I was able to come up with was to disable the
> code as follows:
>
> In the current version of Dada, 99.3X, the email function is done by a
> file called "emailto.php" which will be found in the document root
> directory of the site. Replacing that file with something like this
> (with same name and permissions) will disable the feature without
> breaking the software or flooding the error log file:
>
> ----------File follows-----------
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> </head>
> <body>
> Due to abuse by spammers this feature is not available at this time.
> </body>
> </html>
> -----------------------------------
>
> I'd really be interested in any better solution to this issue...
>
--
Ben West
westbywest-AT-riseup.net
savetheinternet.org
-------------
To unsubscribe, send blank email
to dadaIMC-off-AT-lists.dadaimc.org
Report Bugs
dadaIMC uses the Mantis bug-tracking system for bug reporting. Please use it! And check for existing reports of your bug before submitting a new one.
CVS
The current CVS version of dadaIMC is now browseable online. Be forewarned, though, that it is not always in a useable state as-is!
Donations
Support development!