Cold Fusion mail issues

Experts,

My CF server is sending out anonymous emails and is there any way I can find out the issue.
I understand that this is a wage statement, but trying to find out what would be starting point

Using CF 9,0,2,282541   version.
Verified : Logs > Mailsent document and I do see those anonymous emails sent out.

Is there any security patch for this version?

Thanks in advance.
Tpaul_10Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rjohnsonjrCommented:
You could check your server access logs to see the urls that are getting hit a lot.  Usually there will be hundreds of urls.

I am also willing to bet that you could check the spool folder and the undeliverable folder to get you one of the emails that would allow you to find a piece of code in the email that you could search your server and find the offending code.  Perhaps a subject line or html inside the email  or something that would allow you to do a global search.
0
Tpaul_10Author Commented:
Will do rjohnsonjr.
Thanks for the information, but is there any specific log file (like application.log,server.log etc.,) to concentrate on more?
0
_agx_Commented:
Disclaimer, this is not my area of expertise but a few thoughts..

What do you mean by anonymous emails? When you view the emails, is the FROM/sender your email address - or the spammer's?  Where/how are you using cfmail in your application? For example, do you have any action pages that blindly send email solely based on form fields submitted? ie

     <cfmail from="#FORM.senderEmail#" subject="#FORM.subject#" ...> #FORM.messageContent#</cfmail>

If the app is unsecured by a login mechanism, that could allow anyone to send out emails via your server just by doing a POST.

Also, is your email server configured to block relaying?

If you haven't already, be sure to check out the CF Lock Down Guide (PDF) and http://hackmycf.com for other security tips.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Tpaul_10Author Commented:
Thanks guys and here are the details.

1. Yes it's the spammers and sending the email using the CF mail settings and I do see that an email sent out as per mailsent.log
2. I have few places/pages where the email can be sent out through the website.
3. I don't have any action pages that will send out the email based on the form fields.
4. The app is secured through login mechanism.
5. Applied all the patches and latest Java as well.

Searching now to see if I can find any part of the code from that email.
0
_agx_Commented:
>> 5. Applied all the patches and latest Java as well.

Does that mean you reviewed the lock down guide and hackmycfm.com? Abusing an existing .cfm script that sends mail is just one possibility. For example, if the spammer somehow got access to the server, they could create/upload a malicious script that sends mail, etc.. completely independent of your real application code.

Again, this isn't my area of expertise, but I wouldn't rule out anything. I remember a thread about a hacked CF server a while back. The hacker somehow created a malicious .cfm script that essentially gave them full control over the server just by accessing a url on the server. No idea if that's what happened on your server, but again ... I wouldn't rule out anything.
0
_agx_Commented:
Also, search the EE archives. Looks like something similar has come up before

Coldfusion server hijacked to send email spam!!
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_28448724.html
0
Tpaul_10Author Commented:
Thank you for the updates.
Is there any guide or details where I can get for upgrading the CF 9.0 to CF 11.0?
Appreciate your help in getting the information as I am still looking into this issue.

Thanks
0
_agx_Commented:
Sorry, I don't know.  I haven't even tried CF11 yet.
0
Tpaul_10Author Commented:
Thanks.
I am trying to get a document that outlines the differences between CF9.0 and CF 11.0 so that I can see what code changes I need to make if I go for CF 11.0.

Can't get one on the online, please let me know if you find some.

Thanks
0
Tpaul_10Author Commented:
Used CFLockdown guide to get it fixed. Thanks AGX.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.