Post by za miksica » Wed Sep 30, 2020 4:51 pm

Hello
I'm using OC 1.5.6.4 and try to disable usage of mail.php if user is not logged, because I'm receiving lot of spam where in email header I see that mail.php is used to send emails. If I use "isLogged" inside mail.php, I think mail will be not sent (if user is not logged).
It can be also other option (instead of isLogged) - important is just that mail.php can not be used to send email without logging.
Thank you.

New member

Posts

Joined
Tue Nov 24, 2015 5:20 am

Post by rjcalifornia » Thu Oct 01, 2020 1:21 pm

za miksica wrote:
Wed Sep 30, 2020 4:51 pm
Hello
I'm using OC 1.5.6.4 and try to disable usage of mail.php if user is not logged, because I'm receiving lot of spam where in email header I see that mail.php is used to send emails. If I use "isLogged" inside mail.php, I think mail will be not sent (if user is not logged).
It can be also other option (instead of isLogged) - important is just that mail.php can not be used to send email without logging.
Thank you.
Are those spam emails being sent through the contact form?

Image


Active Member

Posts

Joined
Fri Sep 02, 2011 1:19 pm
Location - Worldwide

Post by za miksica » Thu Oct 01, 2020 2:14 pm

I don't know.
I just see this in the email header:
X-PHP-Originating-Script: 0:mail.php
To me, it looks like spammers use "mail.php" to send email and I want to try to disable using of "mail.php" for unregistered customers.
Any idea how to do that?
Thank you.

New member

Posts

Joined
Tue Nov 24, 2015 5:20 am

Post by ADD Creative » Thu Oct 01, 2020 6:11 pm

The problem you will have is the mail class is also used by the admin side so won't be able to use the customer isLogged.

It would probably be easier to work out what part on the customer side is sending and add the isLogged check there. You should be able to work that out from the email subject.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by za miksica » Thu Oct 01, 2020 8:50 pm

Hello
do you have some example of how to edit mail.php to know from where is mail.php used?
Thank you in advance.

New member

Posts

Joined
Tue Nov 24, 2015 5:20 am

Post by straightlight » Thu Oct 01, 2020 10:58 pm

That methodology won't prevent SPAM. It will only prevent non-logged users to send emails as it won't prevent logged in users to send SPAMs and scripting are not prevented to be sent from automated logged in users with CSRF attacks.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by za miksica » Fri Oct 02, 2020 1:53 am

Hello
Spam emails contain this in the email header:
X-PHP-Originating-Script: 0:mail.php
Question is - how to prevent sending spam emails using mail.php?
Obviously, spammers found a way to send emails using mail.php.
Actually, here is one spam email:

Code: Select all

Received: from mail ([127.0.0.1]) by mydomain.com with
 MailEnable ESMTP; Tue, 29 Sep 2020 22:03:10 +0200
Subject: =?UTF-8?B?RG90YXogUnViZW4=?=
To: email@mydomain.com
X-PHP-Originating-Script: 0:mail.php
MIME-Version: 1.0
Date: Tue, 29 Sep 2020 20:03:10 +0000
From: =?UTF-8?B?UnViZW4=?= <info@mydomain.com>
Reply-To: =?UTF-8?B?UnViZW4=?= <info@mydomain.com>
Return-Path: <info@mydomain.com>
X-Mailer: PHP/7.0.33
Content-Type: multipart/related; boundary="----=_NextPart_edb971570eb340da2a06bbae29c69d5a"

------=_NextPart_edb971570eb340da2a06bbae29c69d5a
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hey there
Defrost frozen foods in minutes safely and naturally with our THAW KING™. 
50% OFF for the next 24 Hours ONLY + FREE Worldwide Shipping for a LIMITED time
Buy now: thawking.online
------=_NextPart_edb971570eb340da2a06bbae29c69d5a--

Thank you.

New member

Posts

Joined
Tue Nov 24, 2015 5:20 am

Post by ADD Creative » Fri Oct 02, 2020 2:55 am

If you can't work out what is sending the email from the subject, then probably the quickest way is to temporarily add.

Code: Select all

trigger_error('Mail route: ' . $_GET['route']);
To system/library/mail.php just after.

Code: Select all

public function send() {
Then make sure display errors is off and log errors is on and every time the mail function is used you will see an entry in your error log telling you which controller called send.

Code: Select all

PHP Notice:  Mail route: information/contact in system/library/mail.php on line 50
If $_GET['route'] does not show anything then try $_SERVER['REQUEST_URI'].

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by za miksica » Fri Oct 02, 2020 1:25 pm

OK thank you so much, will try that!

New member

Posts

Joined
Tue Nov 24, 2015 5:20 am
Who is online

Users browsing this forum: No registered users and 48 guests