Send to friend module gets spam

[samverdyck]

Hi

On a presashop 1.6.0.14 configuration we had an issue with the Send to a friend module on one particular product. 

We got an endless stream of mails send from the module to *user*@qq.com mail addressess, see screenshot.

We are using a sendgrid account to send the email, we noticed this problem because sendgrid blocked the account because we reached the 12 000 mail limit a month. 

 

I checked the Send to a friend module in the backend and it had to be updated.

I did that and know the triggers from the spam are stopped. 

 

Anyone had experience with this before? 

Can it be prevented in the future? 

Or was it a bug in an older version of the Send to a friend module?

 

Thanks!

[levviking]

I have the same problem.

I use prestashop 1.5.6.2

[eleazar]

Like every module for 1.5 it is no longer officially supported by PrestaShop.

 

PrestaShop 1.6x

Everyone who uses PrestaShop 1.6, should update the module automatically or download this version: sendtoafriend-190.zip

PrestaShop 1.5x

And for those, who still prefer PrestaShop 1.5, I applied the fix to Send-to-a-friend release 1.2: sendtoafriend_15_sec_patch.zip

[eleazar]

Because I tried to copy attachements from my topic in the German forum which is not allowed.

And on the other hand you have no access to your media on android tablets or Ipads, because both don't support a java rich text editor. Anyway, done!

[levviking]

Thanks, it's works for me.

[exadra37]

I am the author of the Responsible Disclosure about this security issue on Prestashop Send to Friend module and also made the Pull Request to fix it.

 

This Pull request originated the version 1.9.0 and from now on it will not be very useful to spammers once is not allowing any more them to post their messages with links and emails must be valid.

 

The Captcha will be a good improvement and I may implement it in the future, depending on my clients requests.

[Tanatus]

I have the same sendtofriend spam issue.

My version is 1.9.0 but still I receive dozens of qq.com emails.

I've used a method, offered in similar string:

Change in /modules/sendtoafriend/sendtoafriend_ajax.php

if (!$friendName || !$friendMail || !$id_product)
for
if (!$friendName || !$friendMail || !$id_product || !$module->context->cookie->customer_firstname)

I will wait to see the result.

[Nick Lappage]

I am having the same problem too. PS 1.6.1.4 with Send to a Friend at 1.9

Looking forward to a solution.

[TomskySupport]

I have the same sendtofriend spam issue.

My version is 1.9.0 but still I receive dozens of qq.com emails.

I've used a method, offered in similar string:

Change in /modules/sendtoafriend/sendtoafriend_ajax.php

if (!$friendName || !$friendMail || !$id_product)
for
if (!$friendName || !$friendMail || !$id_product || !$module->context->cookie->customer_firstname)

I will wait to see the result.

 

With this code, you have blocked guests from sending notifications.

Edited September 8, 2016 by TomskySupport (see edit history)

[creasolstore]

HI All.

I've found another solution, for linux users, for this problem: a very nice tool to prevent attacks is fail2ban, a system that read log files to find brute force attacks and other kind of problems.

I've written a very simple filter to read the apache2 access.log file and ban IP address of who is trying to send more than 5 messages to a friend.

 

Just install fail2ban, then add the following lines into /etc/fail2ban/filter.d/prestashop.conf

# Fail2Ban configuration file
#
# Regexp to catch sendtoafriend requests on the apache2 log file

[Definition]

failregex = ^<HOST> -.*POST /modules/sendtoafriend/sendtoafriend_ajax.php

ignoreregex =

# Author: Paolo Subiaco

and then I've added the following lines to /etc/fail2ban/jail.local (or jail.conf):

[prestashop]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log
bantime  = 172800
maxretry = 5

then restart fail2ban server.

After a couple of minutes, I see in the fail2ban log file:
2016-09-08 22:17:26,047 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138
2016-09-08 22:18:03,761 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138
2016-09-08 22:18:03,761 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138
2016-09-08 22:18:37,926 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138
2016-09-08 22:18:45,869 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138
2016-09-08 22:18:47,372 fail2ban.actions        [8063]: NOTICE  [prestashop] Ban 49.150.29.138

 

IP address 49.150.29.138 was blocked for 2 days, because has tried to send 5 messages to a friend.

Regards. Paolo

[Tanatus]

HI All.

I've found another solution, for linux users, for this problem: a very nice tool to prevent attacks is fail2ban, a system that read log files to find brute force attacks and other kind of problems.

I've written a very simple filter to read the apache2 access.log file and ban IP address of who is trying to send more than 5 messages to a friend.

 

Just install fail2ban, then add the following lines into /etc/fail2ban/filter.d/prestashop.conf

# Fail2Ban configuration file
#
# Regexp to catch sendtoafriend requests on the apache2 log file

[Definition]

failregex = ^<HOST> -.*POST /modules/sendtoafriend/sendtoafriend_ajax.php

ignoreregex =

# Author: Paolo Subiaco

and then I've added the following lines to /etc/fail2ban/jail.local (or jail.conf):

[prestashop]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log
bantime  = 172800
maxretry = 5

then restart fail2ban server.

After a couple of minutes, I see in the fail2ban log file:

2016-09-08 22:17:26,047 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138

2016-09-08 22:18:03,761 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138

2016-09-08 22:18:03,761 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138

2016-09-08 22:18:37,926 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138

2016-09-08 22:18:45,869 fail2ban.filter         [8063]: INFO    [prestashop] Found 49.150.29.138

2016-09-08 22:18:47,372 fail2ban.actions        [8063]: NOTICE  [prestashop] Ban 49.150.29.138

 

IP address 49.150.29.138 was blocked for 2 days, because has tried to send 5 messages to a friend.

Regards. Paolo

But this is only for server?

What if you have only hosting, without access to the server?

[Tanatus]

With this code, you have blocked guests from sending notifications.

Agree, but my guests do not send my products so often, in comparison to registered users.

So, it's just an individual case. In my - spam protection is much more important.

Do you have any other solutions? Without additional modules?

[Tanatus]

I have the same sendtofriend spam issue.

My version is 1.9.0 but still I receive dozens of qq.com emails.

I've used a method, offered in similar string:

Change in /modules/sendtoafriend/sendtoafriend_ajax.php

if (!$friendName || !$friendMail || !$id_product)
for
if (!$friendName || !$friendMail || !$id_product || !$module->context->cookie->customer_firstname)

I will wait to see the result.

The result is - all spam is stopped.

So, it works, but obviously with some negative aspects also.

[Fishka]

Hi

To problem with spam from formular module sendtoafriend needed little modyfication code source in file /modules/sendtoafriend/sendtoafriend_ajax.php
All spam generated from this module is stopped.
(oryginal -blue, added source code -green colour)
Completly source code:


<?php
/*
* 2007-2014 PrestaShop
*
* NOTICE OF LICENSE
*
* This source file is subject to the Academic Free License (AFL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/afl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to [email protected] so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
* versions in the future. If you wish to customize PrestaShop for your
* needs please refer to http://www.prestashop.com for more information.
*
*  @author PrestaShop SA <[email protected]>
*  @copyright  2007-2014 PrestaShop SA
*  @license    http://opensource.org/licenses/afl-3.0.php  Academic Free License (AFL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*
* =============================================================================
* ==== Antyspam modyfication file 2016-09-10 Wojciech Ryszkieiwcz (Free for all)
* ==== Smierc chinskim spamerom
* ==============================================================================
*/

require_once(dirname(__FILE__).'/../../config/config.inc.php');
require_once(dirname(__FILE__).'/../../init.php');
include_once(dirname(__FILE__).'/sendtoafriend.php');
include_once(dirname(__FILE__).'/../../classes/Product.php');

$module = new SendToAFriend();

if (Tools::getValue('action') == 'sendToMyFriend' && Tools::getValue('secure_key') == $module->secure_key)
{
        $friendName = Tools::getValue('name');
        $friendMail = Tools::getValue('email');
        $id_product = Tools::getValue('id_product');
        if (!$friendName || !$friendMail || !$id_product)
            die('0');

        /* Email generation */
        $product = new Product((int)$id_product, false, $module->context->language->id);
        $productLink = $module->context->link->getProductLink($product);
        $customer = $module->context->cookie->customer_firstname ? $module->context->cookie->customer_firstname.' '.$module->context->cookie->customer_lastname : $module->l('A friend', 'sendtoafriend_ajax');

        $templateVars = array(
            '{product}' => $product->name,
            '{product_link}' => $productLink,
            '{customer}' => $customer,
            '{name}' => Tools::safeOutput($friendName)
        );
//  << COPY AND PAST FROM THIS LINE ==================================
if  (strlen($friendName)<25 )
{

$ip = getenv('HTTP_CLIENT_IP')?:
getenv('HTTP_X_FORWARDED_FOR')?:
getenv('HTTP_X_FORWARDED')?:
getenv('HTTP_FORWARDED_FOR')?:
getenv('HTTP_FORWARDED')?:
getenv('REMOTE_ADDR');

$customer = $customer." (IP of customer is:".$ip.")";



preg_match('/\\p{Han}/u', $friendName, $matches);
/*
if (count($matches) > 0){
$chinaletter=1; }
else{
$chinaletter=0; }
*/



if ((strstr($friendName, ".")!==False) or (strstr($friendName, " com")!==False)or (strstr($friendName, ";")!==False)   or (count($matches) > 0) )
{


/* if  
*  in text variable $friendName is  dot or " com" or ; or any chinese letter
*  then:
*  adress e-mail making value ""  (nothing), and soft not sending spam.
*  To highest insurance code adding IP address of the robot or sender to
*  subject e-mail if friendsname is normal
*  ( if not chinese and max 25 letter and no in text "." , " com" or ";"     ).
*/

$friendMail = "";  

// for testing write your e-mail, to production make adress value empty, line like this>>  $friendMail = "";

// if need info who sending smap (IP) then make in this place your adress like this>> $friendMail = "[email protected]";


}
//  << COPY AND PASTE TO THIS LINE  =================================


//
        /* Email sending */
        if (!Mail::Send((int)$module->context->cookie->id_lang,
                'send_to_a_friend',
                sprintf(Mail::l('%1$s sent you a link to %2$s', (int)$module->context->cookie->id_lang), $customer, $product->name),
                $templateVars, $friendMail,
                null,
                ($module->context->cookie->email ? $module->context->cookie->email : null),
                ($module->context->cookie->customer_firstname ? $module->context->cookie->customer_firstname.' '.$module->context->cookie->customer_lastname : null),
                null,
                null,
                dirname(__FILE__).'/mails/'))
            die('0');
        die('1');


     }//   << THIS LINE COPY AND PASTE TO  ===============================





}
die('0');


 

[patrmich]

Hi Fishka,

 

Thank you for the amendement you suggested.

 

I made this amendment on /modules/sendtoafriend/sendtoafriend_ajax.php.

 

I am using sentofriend module v1.4 with Prestashop 1.5.6.2

 

But after I made the amendment, I am facing the following problem :

When I click on the Send button, nothing happens. It seems that the javascript no longer works.

 

Would you know how to fix the problem ?

 

Thnak you in advance for any reply.

 

Patrick

[patrmich]

Hi Fishka,

 

Sorry for my previous post.

 

The amendment you suggested does work.

My error was to forget one }, when pasting the code.

 

Kind Regards,

 

Patrick

[Fishka]

I'm glad it's working.
I'm sorry that previously did not answer your email, but I had a vacation from my computer.
I hope that others also came in handy this modification. In my store it is working properly, and more than a month my store no longer send spam.

Regards
Fishka (Wojtek)

[neugon]

Send to a friend feature is obsolete in many commerce sites...just check your traffic or put some google analitics ..if your visitors are not using it...I would recommend just to disabled the module.  That certainly works

[jordipalet]

$customer = $customer." (IP of customer is:".$ip.")";

 

You should not use that line, because it is a against privacy laws. IP addresses are considered in Europe personal data, so if you forward that to the "friend" then you're breaking law.

 

It is really needed to include the IP address in the subject ?

[doekia]

First purge the mail queue postsuper -d ALL

Checkout that sendtoafriend is still the culprit (no backdoor been installed since first attack)

Ensure you did not kept a "backup" of sendtoafriend as _sendtoafriend 1sentoafriend 0sendtoafriend, ... they are regularly scanned by hackers

Blacklist the most common bad  domains (qq.com, ...)

[Derres]

Any solution for let only registered user to post an email and to put a timer to post max x mail every x seconds ?

 

For example allow to post 1 email every 10 mins max ?

 

Thanks