Recently I started getting spam emails from my own web site’s enquiry page; a regular delivery of emails from a variety of email addresses. I decided to look into the best way of stopping them.
The emails looked like:
Subject: [Suspected Junk Email]Software Pragmatism: I just wanted to say Hello! (Or some other greeting)
Body Text:
This is an enquiry email via: https://www.softwarepragmatism.com/ from <unrelated email address>
I’m looking for / I want to show you / Would you like to see my <insert dubious thing here > < link to something that you almost certainly don't want to be clicking on >
The first thing I did was to search online to see whether someone had hacked my site, and it seemed that they hadn’t. Actually it was even worse, it seemed that my site was helping people send these emails without having to even log in.
First Steps – The Easy Part
The first thing that most sites mentioned was that Joomla has a “Contact Me” facility so that your visitors can send you messages, ideally full of praise for your site but then who knows? Anyway, one of the fields on this page is this one:
To be honest, this is something of a security vulnerability in Joomla: there’s no guarantee that the address anyone puts into the “Email” field is actually theirs. Visitors can use this form to spam you and, by adding another email to the form, they can spam the real owner of the email too.
This field is an obvious candidate for removal, whether or not anyone is actually using it to send span at the moment. Looking through Joomla, at least in my installation, there are TWO places where this check box is enabled or disabled: in the Menus -> Main Menu section, as the “Contact Me” item:
and in the Components -> Contacts -> Contacts section. Both of these are shown below, and you should change both of them so that “Send Copy to Submitter” is set to “None”. Save and close both of these, and then clear the cache.
This will stop people from using your contact form to send spam, assuming that’s where it’s coming from.
Going Further
Obviously, as changing the contact form was a simple thing to do, it wasn’t overly effective. I looked further into the changes I could make, but they quickly descended into “Add This Extension and it will fix everything”. I don’t have anything against Joomla extensions, but every time you add one it’s another dependency, and another person you’re relying on to keep the extension up to date.
The main theme behind most of these is that the “Contact Me” messages are handled by the com_contact module, and you need to restrict access to this because it can be accessed without actually going to a page on your site. All anyone has to do is send the appropriate HTTP request to the following relative URL on your site:
/index.php?option=com_contact&view=contact&id=1
They don’t even need to authenticate any credentials. There’s a bug report with more details here:
https://github.com/joomla/joomla-cms/issues/20865 - Spam is sent using com_contact
It’s worth noting here that the id=1 parameter on the URL is the initial administrator on the site. If you have multiple registered users on the site, they’ll probably all be receiving spam. The spammers do this by simply changing the id parameter and re-issuing the HTTP calls to trigger another email.
The most straightforward way to stop people sending spam using this URL is to block their IP address from accessing your site. You can do this with the .htaccess
file or, if you have access to cPanel, just do the following:
- In the Metrics / Visitors section, select the log view for the domain you’re getting spam from.
- Search for com_contact in the log and make a note of the IP addresses that made the request. Ignore any that sent you messages that you actually wanted.
- Search for an IP lookup service (use the search terms: ip whois) and use this to work out whether the IP address is a single one, or part of a range owned by an ISP.
- From the Security / IP Blocker section, add each of the IP addresses you got from the logs, or the IP range containing them.
This is a more involved method than just disabling a checkbox, but it does end up being quite effective. It also blocks the IP address from accessing any other sites you have on the same server. You’ll need to keep the blocked IP addresses up to date whenever you start getting spam again, but eventually it should slow down to an acceptable level.
As for the spam emails, remember:
- The email address in the spam email is almost certainly either fictional or belongs to someone who has no idea it’s being use for spam. Alternatively it could belong to the spammers themselves. In any case, never reply to it.
- You don’t know what the URL at the bottom of the email links to, so don’t click on it. Whatever it is, it’s not going to improve your day.
Getting spam is just a cost of having a site where people can contact you. Treat it like you would if it came through any other medium – don’t click on anything, delete the original spam, block the source and move on.