Joomla Contact Spam 1

At the moment we see spamming mails, which are sent via the contact form, on many customer servers running a current Joomla and OS.

The logs contain lines like:

117.90.137.141 - - [08/Sep/2017:20:01:37 +0200] "POST /index.php/kontakt HTTP/1.1" 302 483 "http://www.WEBSEITE.de/index.php/kontakt" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"

or

185.135.80.139 - - [08/Sep/2017:09:21:44 +0200] "POST /kontakt.html HTTP/1.1" 302 1498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"

The URLs called first using GET and directly afterwards POST (see above) are a little bit different from website to website. In all cases, /kontakt is included.

We use the ISPProtect BanDaemon on our servers and most of all customes running this nice tool, too. So it is very easy to ban the corresponding IPs if you assume that a contact form is not filled in by a normal user several times within seconds.

Just create /opt/ispprotect_bandaemon/conf.d/200.conf:

ident = joomla-contact
log = /var/log/ispconfig/httpd/*/access.log
regex = /^\s-\s-\s\[(?P\w+\/\w+\/\d+:\d+:\d+:\d+\s.*)\]\s.POST\s.*\/kontakt.*/i
alt_regex =
if_web = true
ignore_alltime = false
ignore_previous_bans = false
scope = web
bantime_factor = 1
reduce = 1

and restart the Ban-Daemon.

A more closely regex (matching the lines above) may look like this:

regex = /^\s-\s-\s\[(?P\w+\/\w+\/\d+:\d+:\d+:\d+\s.*)\]\s.POST\s\/index\.php\/kontakt.*/i

or

regex = /^\s-\s-\s\[(?P\w+\/\w+\/\d+:\d+:\d+:\d+\s.*)\]\s.POST\s\/kontakt\.html.*/i

Leave a comment

Your email address will not be published. Required fields are marked *

One thought on “Joomla Contact Spam