We are getting bombarded with enquiries via the contact page from a eric.neilmann@take5shop(.com)
It is an automated message containing an invitaion to open a list of required products supposedly on an excel spreadsheet.
We know, to the expense of a friend of ours who also received this through their opencart 1.5 shop, that the link is malicious. It takes control of your PC and then they demand $500 to release it. They have ended up scrapping a harddrive over it.
This is warning to others not to open the link.
Anyone know a way to shut the b%^$)ard down?
We think the originators IP address is 194.67.196.54 and have now blocked access.
Code: Select all
inetnum: 194.67.196.0 - 194.67.199.255
netname: MAROSNET-194-67-196-0
descr: Marosnet enterprise network
country: RUdeny from 194.24.230.0/194.88.213.255
Code: Select all
order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
If they change their IPs and you want to block their domain in your contact form, you could make an edit like this:
You could also use an "else" statement with that "if" statement to redirect them away, or do other things (like auto-block their IP) if you're handy with code.
Code: Select all
IN:
/catalog/controller/information/contact.php
REPLACE:
$mail->send();
WITH:
if (!strpos($this->request->post['email'], 'take5shop')) {
$mail->send();
} 
I am having the same issue, thanks for the suggestions!
I have also discovered something which I think may be more sinister, I do not know if they are connected:
http://forum.opencart.com/viewtopic.php?f=20&t=168452
Re the code you kindly provided Ernie, I assume it goes in our .htaccess file?
order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255
I have also discovered something which I think may be more sinister, I do not know if they are connected:
http://forum.opencart.com/viewtopic.php?f=20&t=168452
Re the code you kindly provided Ernie, I assume it goes in our .htaccess file?
order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255
Yes, this is correct!I assume it goes in our .htaccess file
---
And just to give you an inside look into my file, for years, I use this .htaccess file, frequently updated,
in my Site ROOT Sections. It could have been coded MUCHO more professional, I know, but this is, what
I understand to manage, and it works well, and makes very little difference in page load delay, compared,
without having an .htaccess file in place!
---
It also re-route's incoming http://site calls to http://www.site, so, I don't have to add such
rerouting routines to OC-2 related Shop Subdirectory placed .htaccess files any longer, to avoid
Font-Awesome ICON related problems.
---
http://www.openshop.li/downloads/ernies_htaccess.zip
---
BOTTOM Rewrite Rule Line could either be something like this:
Code: Select all
RewriteRule .* - [F]Code: Select all
RewriteRule /*$ http://www.brightfort.com/spywareblaster.html[L,R]Good Luck
Ernie
But don't just use it, as it comes, it may BLOCK yourselfs from accessing your Site,
depending on, where you come from
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
We got loads of emails from the same guy. Might be useful to add a captcha on your Contact page.sooty wrote:We are getting bombarded with enquiries via the contact page from a eric.neilmann@take5shop(.com)
It is an automated message containing an invitaion to open a list of required products supposedly on an excel spreadsheet.
We know, to the expense of a friend of ours who also received this through their opencart 1.5 shop, that the link is malicious. It takes control of your PC and then they demand $500 to release it. They have ended up scrapping a harddrive over it.
This is warning to others not to open the link.
Anyone know a way to shut the b%^$)ard down?
We think the originators IP address is 194.67.196.54 and have now blocked access.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Many thanks for your post and sharing your .htaccess Ernie!
I will take a look at that and great that it could resolve the missing Font Awesome icons too - that is something else I have an issue with in multistore shops at present.
Thanks JNeuhoff for your suggestion, we have a captcha and were still getting the emails, though none today so far after adding Ernies deny code to .htaccess yesterday :-)
I will take a look at that and great that it could resolve the missing Font Awesome icons too - that is something else I have an issue with in multistore shops at present.
Thanks JNeuhoff for your suggestion, we have a captcha and were still getting the emails, though none today so far after adding Ernies deny code to .htaccess yesterday :-)
I added Ernie's code
to the .htaccess, yet we are still getting these spam mails from take5shop, submitted via our website's Contact form (verified from the access.log). I guess it needs a different mechanism to block this IP-address range!
Code: Select all
order allow,deny
allow from all
deny from 194.67.196.0/194.67.199.255
Last edited by JNeuhoff on Tue Oct 04, 2016 6:13 am, edited 1 time in total.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
I know, it can be enduring, that's, why I have some Lock-Code on IP's as well as on 'Names', related, after analyzing the source of transmissions, to sometimes find out where to 'get' em !
Good Luck!
Ernie
Good Luck!
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I think the last enquiry originated from the IP-address 92.63.109.125, which is part of the range 92.63.108.0 - 92.63.109.255, coming from JSC Cloud, Irkutsk, Russia. Should be added to the deny-list, too.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
If this happens often, you might want to just use the edit I suggested above, which should block your contact form from being used by anyone from that domain.JNeuhoff wrote:I added Ernie's code to the .htaccess, yet we are still getting these spam mails from take5shop, submitted via our website's Contact form (verified from the access.log). I guess it needs a different mechanism to block this IP-address range!
Johnathans reply is perfect for this!
The spammers think they sent it as they get the confirmation message, but no email is sent!!
Just make sure you test it using their domain and another before considering it fixed
Thank you Johnathan!!!
The spammers think they sent it as they get the confirmation message, but no email is sent!!
Just make sure you test it using their domain and another before considering it fixed
Thank you Johnathan!!!
I am now trying this htaccess code:
which should block this spammer's IP address ranges
194.67.196.0 to 194.67.199.255
92.63.108.0 to 92.63.109.255
This spammer is actually manually visiting the information/contact page, then copying and pasting his standard spam text, and then hitting the Submit button.
Code: Select all
deny from 194.67.196.0/22
deny from 92.63.108.0/23194.67.196.0 to 194.67.199.255
92.63.108.0 to 92.63.109.255
This spammer is actually manually visiting the information/contact page, then copying and pasting his standard spam text, and then hitting the Submit button.
Who is online
Users browsing this forum: No registered users and 387 guests
