Ecommerce Templates emailfriend.php : spam prevention and detection
Recently a company I work for was having a huge issue with spam. Not incoming, but outgoing. Their server was being used to fire out spam emails at an alarming rate, resulting in them being temporarily blacklisted by services such as Google Mail.
Recently a company I work for was having a huge issue with spam. Not incoming, but outgoing. Their server was being used to fire out spam emails at an alarming rate, resulting in them being temporarily blacklisted by services such as Google Mail.
After a bit of investigation, I narrowed the problem down to one of the larger websites, an online store running Ecommerce Templates, an open source e-commerce platform that the company had been using for many years.
Ecommerce Template’s emailfriend.php
If you’re encountering this problem, and have a website running Ecommerce Templates than I suggest you take a closer look at the emailfriend.php script.
This file can be found in the root directory of Ecommerce Templates, usually in the folder ‘www’ or ‘httpdocs’ depending on your web server setup. The script can usually be found at the address http://www.example.com/emailfriend.php.
The script allows visitors to put in a your name, your friend’s email, and a comment with no sort of validation, or spam prevention apparent (CAPTCHA codes and such, see below under ‘Prevent it’).
A script had been targeted to hit the file, putting in a bogus title for Your Name, the recipient’s (read victim) email in Your Friend’s Email and a whole host of spammy goodness in Your comments.
Detect it
Now this particular website has been around a number of years now, and so it is very possible that this particular oversight does not feature within more updated versions of Ecommerce Templates. However if you are unlucky enough to be faced with this problem on your online store, let’s go through ways to detect if your store has a problem.
Open the file /emailfriend.php.
At the bottom of the file, underneath the </HTML> tag add the following code:
<?php
// Get the IP of the visitor
$ip = $_SERVER['REMOTE_ADDR'];
// The name of the file being requested, this means the script can be used on other files too.
$file = (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'] : "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
// Prepare the information for the log
$text = date("F j, Y, g:i a").' '.$ip.' via '.$file.'
';
// Open the log file
$file = fopen("spam.txt", "a");
// Write the infomation to the log
fwrite($file,$text);
// Close the file
fclose($file);
?>
Now create a blank text file and name it spam.txt (You can create this using Notepad on Windows, or TextEdit on Mac).
Place this file in the same directory as youremailfriend.php file.
Make sure you set the CHMOD permissions for the file to be writeable (777). If this makes no sense, follow this link to learn how to set permissions on your FTP.
What happens?
This code will log visitor’s ip addresses, the time of their visit, and the file in which they visited (in this case emailfriend.php).
All being well, the information will be written to the spam.txt file for your review. You will be able to see any unusual activity with the script, as well as note the IP address of repeated visitors to the form.
On the site I was working on, this happened to be about 30 attempts a minute. This is quite a staggering amount as this had apparently been an issue for almost 3 months! As you can see in the image above, there was a lot of activity from a single IP address.
Prevent it
This script is severely lacking in any sort of validation or spam protection. There are many solutions out there.
- You go ahead and blacklist the logged IP Address from your web server. Speak to your hosting provider if you are unsure about this. However this would be a temporary fix, as the spammer can simply change their IP if required.
- Services such as CAPTCHA have their own advantages and disadvantages that I won’t go into here.
- You could also try randomising the input names of your Send To Friend form, though this would require a little knowledge of PHP and such.
My solution was to simply disable the feature entirely. The logs showed the feature was very much underused, especially for the product range the store offered, and simply wasn’t worth the time required to be absolutely sure this wouldn’t occur again.
Like this post? You can subscribe via RSS or e-mail for more. I also frequent Twitter and Google+.