Notice from my webhost: FormMail being used to spam [RESOLVED: NOT FORMMAIL]

[Dami]

Edited to correct: THE ERROR WAS NOT CAUSED BY FORMMAIL. An older version of Joomla! was compromised.


This is the message I've received today from my web host:

Your account "xxx.com" hosted on server xxxxxxxx.xxx.com is sending out bulk/spam mails and violated our TOS by sending more than 1000 mails per hour. Mails were sent using by the account ops@deta.kz via authentication method. Please check the following for more details.

2012-03-05 17:28:49 1S4gOf-0007pa-Gf ** gertraud-john@web.de <Gertraud-John@web.de> R=enforce_mail_permissions: Domain dragonmyth.com has exceeded the max emails per hour (1250/1000 (125%)) allowed. Message discarded.

ad nauseum

It seems like one of your script is outdated and hackers have exploited it to upload/run vulnerable scripts in the server.

We had no choice, but to disable offending script and removed all mails in queue from your account.

Please make sure that your scripts are upto date and not exploited to prevent these kind of issues from happening again.
=======================

Okay, from day one (almost from the first hour of use) this script has been hit by spammers and I get numerous script (captcha) failure notices each week. Now, I get this delightful message from my host.

How can this be fixed? How was it exploited in the first place?

TIA
Dami

[crabtree]

mmmmmmm.....

i've been lurking here for squillions of years and no one has ever reported an exploit in tectite formmail as far as i can remember

i've used it for years too and never had a problem.

so, first question: do u know for sure it was tectite formmail that was used?

if so, more questions:

• do u have other formmail scripts on ur website?
• have u altered tectite formmail outside its config section?
• tectite formmail only sends to the limited email addresses u specified (except for autorespond), so have u setup TARGET_EMAIL properly.

i know tectite offer guaranteed support, so u might want to buy some support and get it investigated. i think the guarantee means if there's a bug, u get ur money back (and the problem fixed)

[Dami]

Thanks for posting, crabtree. I'm checking now with my web host. In the initial email, they just said they'd disabled "the" script without bothering to say which one--unless they just wholesale disabled everything.


FOUND THE PROBLEM. An older version of Joomla was compromised and IT WAS NOT FORMMAIL!

Sorry for the false alarm. I am curious how people found my form so fast to spam it.

[crabtree]

thx for posting back the results.

all formmail users (and esp tectite) will be glad u confirmed this!