Autarchy of the Private Cave

Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

• recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
• there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

As an update to WordPress anti-spam plugins, I highly recommend Spam Karma 2. For a time, it seems to be the ultimate protection. I turned off all the other anti-spam plugins (including Aksimet), and everything’s just perfect! SK2 gathers up to a thousand spam comments/trackbacks during a single week on this blog, and I never had a complaint from blog visitors on their inability to add a comment (though some did have to fill in captcha to post a comment with links).

And SK2 still works under WP 2.5! (SK 2.3 was released to support WP 2.1)

Kudos to Dave!

It would be a pity if this excellent plugin is abandoned and stops functioning in one of the upcoming WP releases.

Update: SpamKarma is now GPL (at google code).

You may discover, that as your blog gets more visitors and pageviews, your are getting more spam in comments to your posts. They originate as actually comments, pings, and trackbacks.
Read the rest of this entry »