Bot submitting from 58fecca08a199 etc.

Same issue – 5 different clients – different servers etc

Also, almost all of the IP addresses the submissions are coming from are TOR end nodes. Each email is from a different address. If anyone knows a way to simply block all TOR traffic, that might actually solve my problem.

I’ve got several clients with this issue as well. I enabled Akismet and Honeypot with no luck. Going to throw in ReCaptcha to see if that stems the flow until a response/fix comes through from plugin dev on this issue.

We’re seeing the same issue as well. Was going to try the honeypot, but will probably skip that now and use ReCaptcha too. Would love to not need to use that, though.

Google Recaptcha didn’t work for me. Been having this issue for about a week now. Never had issues with CF7. Guess hackers finally breached the matrix.

As I mentioned, ReCaptcha, Honeypot, field lengths, Wordfence, none of this helps so long as your form is still exposed. The only two viable workarounds I’ve found so far are:

1. Disable Contact Form 7
2. Install VigilanTor plugin and disable all TOR end node access to your sites (installed last night, 17 blocked attempts from TOR end nodes, not a single 58xxxxxxxx bot spam received today)

Is it unusual to have a zero day out in the wild and the dev says nothing? I mean, ok if he/she hasn’t figured out a solution yet that’s fine, but just let us know how harmful the payload is or what’s going on. If my domain is sending out thousands of spam emails and getting me listed as a spammer on blacklists I’d want to know that ASAP. I guess we should assume the worst if there is radio silence here?

Matt

Update on this – I blocked all entries containing 58f via the WordPress settings and the spam continued with a new number (which I have now blocked again)

Interesting. So… There is a human behind these???

no just a robot that adjusts

Ok stuff is starting to come in that is not from a TOR end node now so my TOR blocker doesn’t work. Dev still hasn’t replied, I’m done with Contact 7, will have to figure out a different solution. Bummer, really like the plugin. Good luck to everyone else.

I’m with you mab – I had too many sites with this plugin and now it’s compromised. Only saw on response from developer, and it wasn’t much at all. Asking what the mail tab looked like? Thread Still no response thereafter.

I’m with the rest of you, no response on this issue has forced me to rethink our contact solution.

Have signed up just to add “me 2”.

The spamming started late April, and is still ongoing. Plugin developer has not commented at all yet on this issue, which is concerning.

Have got a fail2ban rule perm-banning IPs that use the exploit. 328 bans in the last days. Has slowed it down somewhat, but not eliminated it completely.

The exploit seems to be some strange method of breaking the POST request into two TCP packets right where a variable is about to start. Don’t really understand it, but I guess it’s fooling the code somehow.

Same here…
Thousands of spammails since a week.
I guess the best is to replace CF7

Are they injecting a payload? Are our IPs being used to send out massive amounts of spam?