Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Contact Form - Some bots can use the controller behind the form #1911

Closed
addison74 opened this issue Dec 21, 2021 · 5 comments · Fixed by #3146
Closed

Contact Form - Some bots can use the controller behind the form #1911

addison74 opened this issue Dec 21, 2021 · 5 comments · Fixed by #3146

Comments

@addison74
Copy link
Contributor

addison74 commented Dec 21, 2021

Although I use the HoneySpam extension and the form has by default a hidden value (hideit) there are days when I receive a burst of 5 messages. In the web server log I found the following records:

156.146.63.148 - - [21/Dec/2021:09:22:29 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:29 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:30 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:31 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:32 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:32 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:33 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:33 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:34 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

If we look at the moment of accessing the links it is obvious that it cannot be a human operator it is a bot. It looks like a ping command using the contact form. For this IP address located in France only these records exist in the log form. I set up a filtering rule for Fail2Ban and it is banned by now.

Interesting is how it was able to send data with sexual content bypassing the default Magento protection and that of the HoneySpam extension. It is not a major problem but such a bot can saturate an inaccessible for a while mailbox by sending tens of thousands of messages. Most likely the controller has an issue allowing this. In the past I have shown that the one in the newsletter also has one, but a solution has been found and there is an open PR for it.

@addison74 addison74 added the bug label Dec 21, 2021
@fballiano
Copy link
Contributor

well, the Mage_Captcha module is totally obsolete and I think nobody uses it... I think we should remove it and add another solution, maybe https://github.com/magento-hackathon/HoneySpam or maybe a reacaptcha?

@addison74
Copy link
Contributor Author

I have been using HoneySpam for almost 2 years. I reported several issues and they were resolved quickly, I appreciate the development team but it's not perfect let's say 85%. Below are bots that go through the newsletter subscription form and the contact form, without accessing the website. Basically in webserver log I get only requests, one for accessing the controller (GET), another for transmission (POST) and the last one for returning to the initial page (GET). Magento has a big issue with the controllers that are behind these forms. Fortunately with the help of Fail2Ban I managed to fish 150 IP's every day but about 8-10 IP's still manage to send subscription confirmations to email addresses. We talked in this project about the responsibile controllers, we tried a few fixes, but it didn't work out.

We must evaluate any removal of the source code so as not to create trouble for the extensions already in use. In the case Mage_Captcha there may be extensions that use features from this module to get ready-made CAPTCHA features. I remember someone removed last year the JS library responsible for picking up a color and it affected my Advance Product Options extension used in stores.

I consider for Mage_Captcha there are already free extensions that do a better job. As for me I never used it because I found that it annoys visitors to take extra actions even necessary non-time consuming.

@addison74
Copy link
Contributor Author

This is happening because the Contact From doesn't have CSRF validation. It is similar to this issue #1738.

@elidrissidev
Copy link
Member

Are you willing to work on it? If not I'll do it this weekend.

@addison74
Copy link
Contributor Author

I have nothing against you taking care of this PR, especially since you know what you have to do based on the other implementation for the newsletter form. If you need I can help you with ideas.

Once merged I will propose to remove the hideit field from the contact form. Firstly because it is useless, a lot of bots skip it and secondly I recommend the HoneySpam extension because it allows customizing the field name in the case of bots that fill out the entire form but skip hideit.

For more details please visit these links #1421 and #2045

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants