Spam Emails

Hi,
Over the last 2 days i have had lots of spam messages (and so have all my agents) through the email a friend and property enquiry forms.

I thought with the security code built into these that this wouldn't happen?

any ideas as we are getting 10 per hour now and my customers (agents) are complaining

thanks

Jim

UPDATE:
this has been such a huge issue we took our OSProperty site down, so just the 'site unavailable for maintenance' page showing and we were still getting lots of spam emails from the more details forms.

I have checked the database and the pf1_osrs_properties total_request_info count is not increasing, so the emails are NOT being sent from the front end of the site

i am using
OSProperty 2-8-1
Joomla 3-4-1

Hi Jim,
You can send us your site information with super admin account, ftp account. We will help you to check the issue for you
Thanks
Dam

Thanks Dam,

Information in a support ticket.

Jim

Hi,

I'm getting a lot of spam emails now also - did you find anything out from your investigation? This morning the count is at 20+

Thanks!

Hi,
Please submit ticket and send your site information with super admin account. I will check the issue for you. By the way, please remember to add some Spam emails in the ticket so i can see the source
Thanks
Dam

Hi Dam,

I think the main problem here is that you are hardcoding the security key directly into the HTML.

A spammer simply needs to pull the MD5+Substring5 code you are embedding out from the hidden field. They can then bypass the security check, and this can be trivially scripted.
This effectively negates all benefit that having a captcha has on a form.

For example, in the php code-behind of agentregistration.php, you generate a key using md5 then substring that to 5 characters.
Then you include this secret key twice in the generated page, in the hidden input (name="captcha_str") as well as the actual img request url (task=property_captcha&ResultStr=$ResultStr).

Google ReCaptcha uses a private - public key, and multiple other security enhancements to prevent automated circumvention of captcha, which is exactly what a captcha is meant to avoid.

It would have been preferable for you to have implemented the core Joomla JPluginHelper captcha library, as detailed below, instead of implementing your own captcha routine, that way the admins can use the site-wide captcha capabilities and enroll in ReCaptcha if required:
stackoverflow.com/questions/12840015/how...-to-my-custom-module

Also, if the captcha routine you used is from an online example, people can form custom google search queries using the variable to find a suitable hitlist of targets to spam.

Regards,

Marc

Hi Marc,
On one page, we can only use one reCaptcha item, in Property details page, we have several forms like Request more details, Sharing, Comment forms. So we can't put reCaptcha on all forms. That is the reason we should use OS Property captcha for Property details page.
Thanks
Dam

Hi Dam

So if I understand your reply correctly what you're saying is that you aren't going to do anything about this problem.
If thats the case I strongly suggest you need to re-consider that decision.

I dont have a live site with osprop yet, but if this issue arises it will be a deal breaker for me so please consider again about how best to resolve this.

some other points:
aside of the valid points Marc makes about the implementation, your actual captcha itself is so weak its very easy to break.

afaik ver 2 of recaptcha will work on multiple forms per page. (altho I dont like tying myself to google on principle but anyway...)

slightly ot but connected: I dont see any csrf token in the OSP forms

Hi Colin,
Currently, we already moved the forms to functions in "helper" file. In next OS Property, we will use new different algorithms in existing captcha to further minimize spam emails.
Sincerely,
Dam