Solved

Cold Fusion mail issues

Posted on 2014-09-05
10
101 Views
Last Modified: 2014-10-13
Experts,

My CF server is sending out anonymous emails and is there any way I can find out the issue.
I understand that this is a wage statement, but trying to find out what would be starting point

Using CF 9,0,2,282541   version.
Verified : Logs > Mailsent document and I do see those anonymous emails sent out.

Is there any security patch for this version?

Thanks in advance.
0
Comment
Question by:Tpaul_10
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:rjohnsonjr
ID: 40306699
You could check your server access logs to see the urls that are getting hit a lot.  Usually there will be hundreds of urls.

I am also willing to bet that you could check the spool folder and the undeliverable folder to get you one of the emails that would allow you to find a piece of code in the email that you could search your server and find the offending code.  Perhaps a subject line or html inside the email  or something that would allow you to do a global search.
0
 

Author Comment

by:Tpaul_10
ID: 40307817
Will do rjohnsonjr.
Thanks for the information, but is there any specific log file (like application.log,server.log etc.,) to concentrate on more?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 40307876
Disclaimer, this is not my area of expertise but a few thoughts..

What do you mean by anonymous emails? When you view the emails, is the FROM/sender your email address - or the spammer's?  Where/how are you using cfmail in your application? For example, do you have any action pages that blindly send email solely based on form fields submitted? ie

     <cfmail from="#FORM.senderEmail#" subject="#FORM.subject#" ...> #FORM.messageContent#</cfmail>

If the app is unsecured by a login mechanism, that could allow anyone to send out emails via your server just by doing a POST.

Also, is your email server configured to block relaying?

If you haven't already, be sure to check out the CF Lock Down Guide (PDF) and http://hackmycf.com for other security tips.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:Tpaul_10
ID: 40316899
Thanks guys and here are the details.

1. Yes it's the spammers and sending the email using the CF mail settings and I do see that an email sent out as per mailsent.log
2. I have few places/pages where the email can be sent out through the website.
3. I don't have any action pages that will send out the email based on the form fields.
4. The app is secured through login mechanism.
5. Applied all the patches and latest Java as well.

Searching now to see if I can find any part of the code from that email.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40316950
>> 5. Applied all the patches and latest Java as well.

Does that mean you reviewed the lock down guide and hackmycfm.com? Abusing an existing .cfm script that sends mail is just one possibility. For example, if the spammer somehow got access to the server, they could create/upload a malicious script that sends mail, etc.. completely independent of your real application code.

Again, this isn't my area of expertise, but I wouldn't rule out anything. I remember a thread about a hacked CF server a while back. The hacker somehow created a malicious .cfm script that essentially gave them full control over the server just by accessing a url on the server. No idea if that's what happened on your server, but again ... I wouldn't rule out anything.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40331144
Also, search the EE archives. Looks like something similar has come up before

Coldfusion server hijacked to send email spam!!
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_28448724.html
0
 

Author Comment

by:Tpaul_10
ID: 40337461
Thank you for the updates.
Is there any guide or details where I can get for upgrading the CF 9.0 to CF 11.0?
Appreciate your help in getting the information as I am still looking into this issue.

Thanks
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40337493
Sorry, I don't know.  I haven't even tried CF11 yet.
0
 

Author Comment

by:Tpaul_10
ID: 40337509
Thanks.
I am trying to get a document that outlines the differences between CF9.0 and CF 11.0 so that I can see what code changes I need to make if I go for CF 11.0.

Can't get one on the online, please let me know if you find some.

Thanks
0
 

Author Closing Comment

by:Tpaul_10
ID: 40378834
Used CFLockdown guide to get it fixed. Thanks AGX.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them (http://www.randhawaworld.com/) . I did keep the main js functions but made sever…
I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question