• Hi,
    a bot is sending me mails through Contact Form 7 on my site that look like this:
    *******
    From: 58fecca08a199 <[email protected]> 91.229.76.21 https://insenglische.de/ [_post_url]

    Message Body:

    This e-mail was sent from a contact form on InsEnglische
    *******
    Note the email is a valid address, and these people are also getting sent a notification that their contact submission was sent. This bot is sending out messages with blank subjects and message content despite minimum and maximum lengths being defined for those fields, so there is some hack/vulnerability going on here.
    Other security measures in place include:
    1. Honeypot installed
    2. Flamingo to monitor
    3. Wordfence (free version)
    4. Google ReCaptcha
    5. Field min and max defined
    6. Postman SMTP set up
    I’m curious what the point of all these bot submissions could be. All I can imagine is that this is some sort of email injection attack, but I have no way to see the payload. If anyone can help (including the developer!) I’d appreciate it. I had the same issue with both PHP Mail and Postman SMTP, so this is not a PHP Mail vulnerability, but rather a problem with Contact Form 7 itself. When I deactivate Contact Form 7, it stops.
    Thanks,
    Matt

Viewing 15 replies - 1 through 15 (of 15 total)
  • Same issue – 5 different clients – different servers etc

    Thread Starter mabst54

    (@mabst54)

    Also, almost all of the IP addresses the submissions are coming from are TOR end nodes. Each email is from a different address. If anyone knows a way to simply block all TOR traffic, that might actually solve my problem.

    I’ve got several clients with this issue as well. I enabled Akismet and Honeypot with no luck. Going to throw in ReCaptcha to see if that stems the flow until a response/fix comes through from plugin dev on this issue.

    We’re seeing the same issue as well. Was going to try the honeypot, but will probably skip that now and use ReCaptcha too. Would love to not need to use that, though.

    Google Recaptcha didn’t work for me. Been having this issue for about a week now. Never had issues with CF7. Guess hackers finally breached the matrix.

    Thread Starter mabst54

    (@mabst54)

    As I mentioned, ReCaptcha, Honeypot, field lengths, Wordfence, none of this helps so long as your form is still exposed. The only two viable workarounds I’ve found so far are:

    1. Disable Contact Form 7
    2. Install VigilanTor plugin and disable all TOR end node access to your sites (installed last night, 17 blocked attempts from TOR end nodes, not a single 58xxxxxxxx bot spam received today)

    Is it unusual to have a zero day out in the wild and the dev says nothing? I mean, ok if he/she hasn’t figured out a solution yet that’s fine, but just let us know how harmful the payload is or what’s going on. If my domain is sending out thousands of spam emails and getting me listed as a spammer on blacklists I’d want to know that ASAP. I guess we should assume the worst if there is radio silence here?

    Matt

    Update on this – I blocked all entries containing 58f via the WordPress settings and the spam continued with a new number (which I have now blocked again)

    Thread Starter mabst54

    (@mabst54)

    Interesting. So… There is a human behind these???

    no just a robot that adjusts

    Thread Starter mabst54

    (@mabst54)

    Ok stuff is starting to come in that is not from a TOR end node now so my TOR blocker doesn’t work. Dev still hasn’t replied, I’m done with Contact 7, will have to figure out a different solution. Bummer, really like the plugin. Good luck to everyone else.

    I’m with you mab – I had too many sites with this plugin and now it’s compromised. Only saw on response from developer, and it wasn’t much at all. Asking what the mail tab looked like? Thread Still no response thereafter.

    I’m with the rest of you, no response on this issue has forced me to rethink our contact solution.

    Have signed up just to add “me 2”.

    The spamming started late April, and is still ongoing. Plugin developer has not commented at all yet on this issue, which is concerning.

    Have got a fail2ban rule perm-banning IPs that use the exploit. 328 bans in the last days. Has slowed it down somewhat, but not eliminated it completely.

    The exploit seems to be some strange method of breaking the POST request into two TCP packets right where a variable is about to start. Don’t really understand it, but I guess it’s fooling the code somehow.

    Same here…
    Thousands of spammails since a week.
    I guess the best is to replace CF7

    Thread Starter mabst54

    (@mabst54)

    Are they injecting a payload? Are our IPs being used to send out massive amounts of spam?

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Bot submitting from 58fecca08a199 etc.’ is closed to new replies.