Solved

Cold Fusion mail issues

Posted on 2014-09-05
10
93 Views
Last Modified: 2014-10-13
Experts,

My CF server is sending out anonymous emails and is there any way I can find out the issue.
I understand that this is a wage statement, but trying to find out what would be starting point

Using CF 9,0,2,282541   version.
Verified : Logs > Mailsent document and I do see those anonymous emails sent out.

Is there any security patch for this version?

Thanks in advance.
0
Comment
Question by:Tpaul_10
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:rjohnsonjr
ID: 40306699
You could check your server access logs to see the urls that are getting hit a lot.  Usually there will be hundreds of urls.

I am also willing to bet that you could check the spool folder and the undeliverable folder to get you one of the emails that would allow you to find a piece of code in the email that you could search your server and find the offending code.  Perhaps a subject line or html inside the email  or something that would allow you to do a global search.
0
 

Author Comment

by:Tpaul_10
ID: 40307817
Will do rjohnsonjr.
Thanks for the information, but is there any specific log file (like application.log,server.log etc.,) to concentrate on more?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 40307876
Disclaimer, this is not my area of expertise but a few thoughts..

What do you mean by anonymous emails? When you view the emails, is the FROM/sender your email address - or the spammer's?  Where/how are you using cfmail in your application? For example, do you have any action pages that blindly send email solely based on form fields submitted? ie

     <cfmail from="#FORM.senderEmail#" subject="#FORM.subject#" ...> #FORM.messageContent#</cfmail>

If the app is unsecured by a login mechanism, that could allow anyone to send out emails via your server just by doing a POST.

Also, is your email server configured to block relaying?

If you haven't already, be sure to check out the CF Lock Down Guide (PDF) and http://hackmycf.com for other security tips.
0
 

Author Comment

by:Tpaul_10
ID: 40316899
Thanks guys and here are the details.

1. Yes it's the spammers and sending the email using the CF mail settings and I do see that an email sent out as per mailsent.log
2. I have few places/pages where the email can be sent out through the website.
3. I don't have any action pages that will send out the email based on the form fields.
4. The app is secured through login mechanism.
5. Applied all the patches and latest Java as well.

Searching now to see if I can find any part of the code from that email.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40316950
>> 5. Applied all the patches and latest Java as well.

Does that mean you reviewed the lock down guide and hackmycfm.com? Abusing an existing .cfm script that sends mail is just one possibility. For example, if the spammer somehow got access to the server, they could create/upload a malicious script that sends mail, etc.. completely independent of your real application code.

Again, this isn't my area of expertise, but I wouldn't rule out anything. I remember a thread about a hacked CF server a while back. The hacker somehow created a malicious .cfm script that essentially gave them full control over the server just by accessing a url on the server. No idea if that's what happened on your server, but again ... I wouldn't rule out anything.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 52

Expert Comment

by:_agx_
ID: 40331144
Also, search the EE archives. Looks like something similar has come up before

Coldfusion server hijacked to send email spam!!
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_28448724.html
0
 

Author Comment

by:Tpaul_10
ID: 40337461
Thank you for the updates.
Is there any guide or details where I can get for upgrading the CF 9.0 to CF 11.0?
Appreciate your help in getting the information as I am still looking into this issue.

Thanks
0
 
LVL 52

Expert Comment

by:_agx_
ID: 40337493
Sorry, I don't know.  I haven't even tried CF11 yet.
0
 

Author Comment

by:Tpaul_10
ID: 40337509
Thanks.
I am trying to get a document that outlines the differences between CF9.0 and CF 11.0 so that I can see what code changes I need to make if I go for CF 11.0.

Can't get one on the online, please let me know if you find some.

Thanks
0
 

Author Closing Comment

by:Tpaul_10
ID: 40378834
Used CFLockdown guide to get it fixed. Thanks AGX.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now