"Send yourself a copy" abuse prevention

is this related to this one: http://drupal.org/node/34181 ?

This is not a dupe. You can relay spam, one at a time, using this method. It has nothing to do with header injection, it has to do with the fact that I can put in any email address in the 'Your e-mail address' field, click 'Send me a copy' and the form will send whatever you've placed in the message field to that address. Granted, its slow and probably would be noticed by a site admin, but once you notice how can you stop it besides shutting off the module?

I've commented out this code in our version for now because its been abused constantly over the past few days, someone has definitely built some bots to exploit this.

I would prefer a 'send me a confirmation' email that has admin configurable text to send so the user knows it was sent, but the message is not repeated as to completely remove any value in exploiting this. I'm happy to roll a patch if that sounds like a good plan.

Actually. A better plan might be to require re-validating ones' email address if they change it.

The problem with that is anonymous users have no way of validating email. A possible hybrid solution would be to not allow copy sending, and only bland confirmation for anonymous users, and not allow logged in users to change thier email at all.

Battle plan.

1. Remove "copy me" for anonymous.
2. When you change your email address on user edit it does not get changed but you get an email to the new address with a hashed link (note that we have code for such links already) and clicking that your email will change.

Sounds like a good plan to me.

Sounds good to me too.

I've taken care of part one of the equation (the simple part) as part of this patch: http://drupal.org/node/58224#comment-134542.

Regarding part two, I'd be happy to take a stab at coding it. What would be an appropriate location to store the user's new email address while pending verification? Do we need another field in the users table, or can we do this in conjunction with the 'init' field?

Seems this is also now fundamentally a user.module issue.

I think wording will need help and the code is absolutely untested but basically, this is it.

Just a note, I tried to test this tonight but there's currently a bug in HEAD where anon users can't view user profiles, so getting to the contact form is impossible. i will have another look tomorrow when i am less tired. :P

Comment to get me subscribed.

Apllied patch to test but, as webchick, can't properly test (and it's late here too! 1:36am)

I just tried to view user/1 as anon user and succeeded. What this has to do with my patch, that's a mystery. Adjusted title.

Rolled back title (realized that I changed contact after al), rolled patch against HEAD.

I just tried to view user/1 as anon user and succeeded. What this has to do with my patch, that's a mystery.

Doesn't your patch disable the checkbox for anon users?

+if ($user->uid) {
+      $form['copy'] = array('#type' => 'checkbox',
+        '#title' => t('Send yourself a copy.'),
+      );
+    }

That's what this had to do with your patch. Anyway, by enabling "access user profiles" perm for anon users, I can now see user/1 so getting access denied was a config problem in the test setup. However, despite enabling "access personal contact forms" for anon user, the contact tab doesn't show up for user/1 (untested for other users). And, trying to use the direct user/1/contact url just displays the "view" page. No contact form.

So, it's a little tricky to see if the "Send yourself a copy" checkbox has disappeared if can't get the contact form up to see. So, struggling to review this patch on that score (am I missing something on the setup somewhere?)

With regard to the part that attempts to provide a hash link to change the email address, the outgoing email fails to send and PHP barks fatally as user_mail() is being used as opposed to the new drupal_mail() function. I'll look at re-rolling that section unless I'm beaten to it (again, it's 1:30am here and I'm pretty tired now).

regards,
--AjK

Here's a modified patch that:

• Uses drupal_mail() to send the email
• Send's the email to the changed to address rather than the old address
• adds in the timestamp to the URL

With regards to the anon user not being able to see user profiles, this issue relates to that http://drupal.org/node/84490

I'm confused about what this actually does. Both new functions are completely undocumented. I think there are two separate patches actually in here- some sorta new menu item for "changing mails" and requiring logging in to see a copy me checkbox.

Ok, let's clean this up a bit. I'll start with the easy bit.

On site wide contact forms, there is no point showing the Send yourself a copy checkbox when the user is anon. The reason for this is, firstly an auto-reply is sent to the email address supplied by the anon user which is site configurable. This can't be set and therefore can't be abused. However, if you allow the Send yourself a copy checkbox an anon user could enter a malicious message and enter someone elses email address. The Send yourself a copy would then anon send to that unsusspecting third party the malicious message. An alternative use is spam (although spamming would soon be spotted).

The attached patch fixes this by checking the global $user->uid and if the user is anon then the Send yourself a copy checkbox is suppressed.

As for the rest of what this issue is trying to address, I will start a new issue thread to address that. I will come back to this thread and cross post a link to the new issue once I have created it for those that may wish to follow on.

indeed, that's the easy bit.

to whom it may concern : http://drupal.org/node/85494

You can't even access personal contact forms if you are anonymous:

          'access' => ($user->uid && user_access('access personal contact forms')),

line 109

That will have to be fixed with this patch.

then this patch is not required by design

Unless I'm mistaken, this applies to sitewide contact forms as well. I think we /do/ want anonymous users to be able to send messages via contact module if permission is given and we do not want them sending a copy to arbitrary email addresses. Lets get this fixed up.

OK, I'm not really sure what's being asked here as I thought I had achieved this target.

The patch in #22 acheives this workflow for anonymous users

1. Anon users cannot contact registered users via thier contact form. It appears that for contacting registered users Drupal requires that the sender have a valid email address (contact.module, line 311) if (!valid_email_address($user->mail)) {

which is impossible to be sure of for the anon user.

2. Anon users can use the site wide contact forms but the patch in #22 disables/removes the Send yourself a copy so that anon users cannot insert a fake own email address and send an arbitrary message to that address.

Is the suggestion that [1] is wrong and anon users should be able to contact registered users? If so, what's this issue's real status, is it still a critical bug or is it suggested that the contact feature change here to allow anon users to contact registered users (thus changing this issue's status)?

regards,
--AjK

@drumm, re: line 109. I think it was Dries original intention that anonymous users not be able to access personal contact forms, http://drupal.org/node/13040. The permission for 'access personal contact forms' is redundant, personal contact forms are opt-in by authenticated users and only accessible to authenticated users. Maybe someone meant to restrict which users can enable personal contact forms with that permission.

I've re-rolled the patch removing the 'access personal contact form' permission.

The title is no longer applicable.
The abuse is possible by
1) anonymous users -> this is a feature request at http://drupal.org/node/58224 for Drupal 6+.
Currently, anonymous users cannot access the contact form at all.
2) registered users who have changed their email address in their profile.
-> this is now handled in a separate issue: http://drupal.org/node/85494
so, what was the original object of this issue is now handled elsewhere.

the permission 'access personal contact forms' is indeed redundant (try giving anonymous users this permission: it is confusing at best because it doesn't work).

The third chunck of the latest patch is therefore not needed.

you missed #3 which is putting any email you want in site wide contact forms and using the 'copy me' function to send email to third parties. Which is the issue being reported here. The additional permission removal could be considered scope creep, but I feel it is related and simple enough to be a rider. The third chunk is in the site wide contact form not the user contact form

Looks good.

Please add some code comments so we don't make this mistake again and so we remember why we choose to implement it this way. Thanks.

Sure.

Committed to CVS HEAD. Thanks.

Recently we have noticed in our server logs that spammers have been utilizing compromised ('zombie') PCs to send spam through the Drupal public contact form, via the "Send yourself a copy" functionality.

It doesn't take a lot of maths to see that this is potentially a major problem: 3 messages/hour X 1000 zombies X 10,000 Drupal sites = 30,000,000 spam message per hour. Ouch.
Also, note that these e-mail are coming from servers that are also likely to be sending legitimate e-mail, and who (unlike mail sent directly from Zombies) are likely to be hurt by their IP address being banned for hosting an open spam relay.

Hence I am proposing that we backport this fix to 4.7, as a security update.
There will continue being a huge number sites not yet ready to upgrade to 5.0, and if we leave this vulnerability open it will damage Drupal's (currently very good) reputation with hosting companies and sysadmins.

After discussions on IRC, Heine indicated that - because part to of http://drupal.org/node/69202#comment-128222 has not been implemented (which leaves authenticated users able to abuse the contact form) - it would be preferable to remove the feature altogether. Here is a 4.7 patch that does this - I can make one for 5.0 if required.

Either this, or my original patch would be acceptable to me. The important thing is that we do something about this fairly quickly, since it is actively being used for spamming!

If occurred to me that a contrib module could quite easily add it back in with form_alter if someone feels strongly about it ;)

-1 for stripping out features in the middle of a stable release. I'd do a contrib module.

I am not sure if we should remove it or if there is another way (maybe a seeting that defaults to off?).

Anyway this needs to be fixed in D5 before D4.7

I've applied the patch in #38 to 4.7.

Thanks killes :)

I am closing this issue, since the first part of this issue is now fixed for 4.7, 5.0 and HEAD, whilst the second part of the issue (user e-mail address change verification) is a separate issue over at http://drupal.org/node/85494. Please help get that one fixed, and we can be done with this issue for good!

Forgive me for re-opening this issue, but I don't think it was completely solved: at the moment an authenticated user can put any email address they want in the 'from' email field and a copy of the email will be sent to that address.

When http://drupal.org/node/85494 is fixed, a user's email address should always be verified. The attached patch thus makes the contact form use that email address for the 'from' field. Anonymous users can still enter an email address, but are not allowed to send a copy of the message to themselves.

Patch looks good. Also, this closes a critical security issue where any authenticated account (which on sites with no admin approval is easy to obtain) can spam any unverified address. It's also illogical to do it the other way - the point of creating an account is to have a verified email address. Why allow entering a different email address?

I think the priority for this needs to be higher; and it also requires backporting to 5.x-dev.

The patch succeeds (with minor offset) for both 5.x and head.

Needs a re-roll. In cases like this it's better to open a new issue rather than piggyback on an old one - just post a link to the new issue.

I already closed an issue which wanted to verify email addresses. Make a contrib module. New features might go into Drupal 7 if we want to.

Also because of the flood control , contact is not an effective way to spam.

I'm confused. The original issue here has nothing to do with what authenticated users can do. An anonymous user (a spam bot) can come to my site and submit a form to my site wide contact form, putting in a third party email address into the "from" field and check the "Send yourself a copy" control. The spam message goes to the third party who was entered in the "from" field.

It doesn't matter what flood control there is, it is still being used to send spam and as has been pointed out, with enough bots hitting your site from different servers your site can still send copious amounts of spam regardless. It doesn't matter that I know it's happening almost instantly if I can't do anything to stop the spam but take down site wide contact forms. I still want a contact form on my site. I just don't want spammers able to use it.

Try http://wtanaka.com/drupal/contact_nocc

how do we install this mod ? the info and site do not say much and it doesn't show up in the mod list either.

There are step-by-step instructions about how to install the contact_nocc module on the provided URL.

Basically, create a directory, download the two files into it, and enable the module on Drupal control panel.

All basic stuff. No additional tweaking needed -- after enabling the module the checkbox goes away.

contact_nocc has been modified to work with Drupal 6:
http://wtanaka.com/drupal/contact_nocc

You can also get it on github:
http://github.com/wtanaka/contact_nocc
http://wtanaka.github.com/contact_nocc