Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cold Fusion mail issues

Posted on 2014-09-05
10
Medium Priority
?
110 Views
Last Modified: 2014-10-13
Experts,

My CF server is sending out anonymous emails and is there any way I can find out the issue.
I understand that this is a wage statement, but trying to find out what would be starting point

Using CF 9,0,2,282541   version.
Verified : Logs > Mailsent document and I do see those anonymous emails sent out.

Is there any security patch for this version?

Thanks in advance.
0
Comment
Question by:Tpaul_10
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:rjohnsonjr
ID: 40306699
You could check your server access logs to see the urls that are getting hit a lot.  Usually there will be hundreds of urls.

I am also willing to bet that you could check the spool folder and the undeliverable folder to get you one of the emails that would allow you to find a piece of code in the email that you could search your server and find the offending code.  Perhaps a subject line or html inside the email  or something that would allow you to do a global search.
0
 

Author Comment

by:Tpaul_10
ID: 40307817
Will do rjohnsonjr.
Thanks for the information, but is there any specific log file (like application.log,server.log etc.,) to concentrate on more?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 2000 total points
ID: 40307876
Disclaimer, this is not my area of expertise but a few thoughts..

What do you mean by anonymous emails? When you view the emails, is the FROM/sender your email address - or the spammer's?  Where/how are you using cfmail in your application? For example, do you have any action pages that blindly send email solely based on form fields submitted? ie

     <cfmail from="#FORM.senderEmail#" subject="#FORM.subject#" ...> #FORM.messageContent#</cfmail>

If the app is unsecured by a login mechanism, that could allow anyone to send out emails via your server just by doing a POST.

Also, is your email server configured to block relaying?

If you haven't already, be sure to check out the CF Lock Down Guide (PDF) and http://hackmycf.com for other security tips.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:Tpaul_10
ID: 40316899
Thanks guys and here are the details.

1. Yes it's the spammers and sending the email using the CF mail settings and I do see that an email sent out as per mailsent.log
2. I have few places/pages where the email can be sent out through the website.
3. I don't have any action pages that will send out the email based on the form fields.
4. The app is secured through login mechanism.
5. Applied all the patches and latest Java as well.

Searching now to see if I can find any part of the code from that email.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40316950
>> 5. Applied all the patches and latest Java as well.

Does that mean you reviewed the lock down guide and hackmycfm.com? Abusing an existing .cfm script that sends mail is just one possibility. For example, if the spammer somehow got access to the server, they could create/upload a malicious script that sends mail, etc.. completely independent of your real application code.

Again, this isn't my area of expertise, but I wouldn't rule out anything. I remember a thread about a hacked CF server a while back. The hacker somehow created a malicious .cfm script that essentially gave them full control over the server just by accessing a url on the server. No idea if that's what happened on your server, but again ... I wouldn't rule out anything.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40331144
Also, search the EE archives. Looks like something similar has come up before

Coldfusion server hijacked to send email spam!!
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_28448724.html
0
 

Author Comment

by:Tpaul_10
ID: 40337461
Thank you for the updates.
Is there any guide or details where I can get for upgrading the CF 9.0 to CF 11.0?
Appreciate your help in getting the information as I am still looking into this issue.

Thanks
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40337493
Sorry, I don't know.  I haven't even tried CF11 yet.
0
 

Author Comment

by:Tpaul_10
ID: 40337509
Thanks.
I am trying to get a document that outlines the differences between CF9.0 and CF 11.0 so that I can see what code changes I need to make if I go for CF 11.0.

Can't get one on the online, please let me know if you find some.

Thanks
0
 

Author Closing Comment

by:Tpaul_10
ID: 40378834
Used CFLockdown guide to get it fixed. Thanks AGX.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, I was working on some optimization and spam-stopping techniques when I encountered Ben Nadel's post to reduce spam feature using Math (http://www.bennadel.com/blog/197-How-I-Stop-Spammers-On-My-ColdFusion-Blog.htm). While this method is not o…
Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question