Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Url To Newsletter Subscription Rate Topic   - - - - -

 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 807 posts

Posted 18 March 2017 - 05:13 AM #1

I just discovered that over the last 5 days I have been getting 50-100 newsletter subscriptions per day. I use an auto-responder for Confirmation and none of these submissions are actually confirmed.

The problem is that the Confirmation is acting like an email attack against the recipients - several of the Confirmation emails bounce and indicate that the destination mailbox is receiving mail at a rate that prevents delivery, and in two cases the bounce stated that the account was under "email attack".

 

I would just like to tell my host the URL of the newsletter submission form, but my form is built into the footer, like the default store and there is no real independent page for the form. There is no option to enable image verification for newsletter forms, and really, no room for it in the design of the form in the footer anyway.

 

Can someone tell me what URL a bot would be using to submit subscribers in v4.3.x?

 

I'm hoping I can block some IPs and stop the bot. I can't seem to find anything in my access logs (other than requests from the checkout page - which are legitimate).

 

Thanks.


CS-Cart Ultimate ver 4.3.5


 
  • krola
  • Advanced Member
  • Members
  • Join Date: 18-Jun 11
  • 68 posts

Posted 20 March 2017 - 02:26 PM #2

I have the same problem!



 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 807 posts

Posted 20 March 2017 - 04:03 PM #3

Someone has apparently decided to use CS-Cart's Newsletter Subscription forms for a DDoS attack. The forms are wide open for exploit - there is no Image Verification on the form built into the default themes.

I could turn off the Autorespond Confirmation and that would stop me from sending the unwanted email messages, but then I have NO WAY of determining legitimate subscriptions from the robot-generated requests.

This is bad. It buries the recipient with unwanted emails, and it turns me into a spammer!

 

Because the form is embedded into the home page, I don't know what to find in my access logs. Each of these subscription requests should be a POST method, but I can't find them in the logs... It seems as though they are just not written in to the logs. I'm certain my server has not been compromised. It's driving me nuts.


CS-Cart Ultimate ver 4.3.5


 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 807 posts

Posted 21 March 2017 - 05:42 AM #4

I had to disable the Newsletter addon.

Back up the subscriber table first.

Disable all blocks with Newsletter Subscription forms.

Delete the cache from the server.

 

So, my store is no longer able to enroll subscribers to the newsletter and I can't send a newsletter.

At least I won't be flagged as a spammer!


CS-Cart Ultimate ver 4.3.5


 
  • imac
  • CTO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 1,752 posts

Posted 23 March 2017 - 07:54 AM #5

I had to disable the Newsletter addon.

Back up the subscriber table first.

Disable all blocks with Newsletter Subscription forms.

Delete the cache from the server.

 

So, my store is no longer able to enroll subscribers to the newsletter and I can't send a newsletter.

At least I won't be flagged as a spammer!

 

In 4.5.2 we will fix this by using CSRF check for subscribers.

I also will provide a fix for 4.5.1 in this thread shortly.

 

Also if you have older version you can try this solution: http://forum.cs-cart...ubscribe-block/


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • CTO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 1,752 posts

Posted 23 March 2017 - 02:51 PM #6

Here is the fix: https://gist.github....17bd44a781f21d5

Please note that you should enable CSRF in your config.local.php


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug