Page 1 of 1
isLogged() inside mail.php
Posted: Wed Sep 30, 2020 4:51 pm
by za miksica
Hello
I'm using OC 1.5.6.4 and try to disable usage of mail.php if user is not logged, because I'm receiving lot of spam where in email header I see that mail.php is used to send emails. If I use "isLogged" inside mail.php, I think mail will be not sent (if user is not logged).
It can be also other option (instead of isLogged) - important is just that mail.php can not be used to send email without logging.
Thank you.
Re: isLogged() inside mail.php
Posted: Thu Oct 01, 2020 1:21 pm
by rjcalifornia
za miksica wrote: ↑Wed Sep 30, 2020 4:51 pm
Hello
I'm using OC 1.5.6.4 and try to disable usage of mail.php if user is not logged, because I'm receiving lot of spam where in email header I see that mail.php is used to send emails. If I use "isLogged" inside mail.php, I think mail will be not sent (if user is not logged).
It can be also other option (instead of isLogged) - important is just that mail.php can not be used to send email without logging.
Thank you.
Are those spam emails being sent through the contact form?
Re: isLogged() inside mail.php
Posted: Thu Oct 01, 2020 2:14 pm
by za miksica
I don't know.
I just see this in the email header:
X-PHP-Originating-Script: 0:mail.php
To me, it looks like spammers use "mail.php" to send email and I want to try to disable using of "mail.php" for unregistered customers.
Any idea how to do that?
Thank you.
Re: isLogged() inside mail.php
Posted: Thu Oct 01, 2020 6:11 pm
by ADD Creative
The problem you will have is the mail class is also used by the admin side so won't be able to use the customer isLogged.
It would probably be easier to work out what part on the customer side is sending and add the isLogged check there. You should be able to work that out from the email subject.
Re: isLogged() inside mail.php
Posted: Thu Oct 01, 2020 8:50 pm
by za miksica
Hello
do you have some example of how to edit mail.php to know from where is mail.php used?
Thank you in advance.
Re: isLogged() inside mail.php
Posted: Thu Oct 01, 2020 10:58 pm
by straightlight
That methodology won't prevent SPAM. It will only prevent non-logged users to send emails as it won't prevent logged in users to send SPAMs and scripting are not prevented to be sent from automated logged in users with CSRF attacks.
Re: isLogged() inside mail.php
Posted: Fri Oct 02, 2020 1:53 am
by za miksica
Hello
Spam emails contain this in the email header:
X-PHP-Originating-Script: 0:mail.php
Question is - how to prevent sending spam emails using mail.php?
Obviously, spammers found a way to send emails using mail.php.
Actually, here is one spam email:
Code: Select all
Received: from mail ([127.0.0.1]) by mydomain.com with
MailEnable ESMTP; Tue, 29 Sep 2020 22:03:10 +0200
Subject: =?UTF-8?B?RG90YXogUnViZW4=?=
To: email@mydomain.com
X-PHP-Originating-Script: 0:mail.php
MIME-Version: 1.0
Date: Tue, 29 Sep 2020 20:03:10 +0000
From: =?UTF-8?B?UnViZW4=?= <info@mydomain.com>
Reply-To: =?UTF-8?B?UnViZW4=?= <info@mydomain.com>
Return-Path: <info@mydomain.com>
X-Mailer: PHP/7.0.33
Content-Type: multipart/related; boundary="----=_NextPart_edb971570eb340da2a06bbae29c69d5a"
------=_NextPart_edb971570eb340da2a06bbae29c69d5a
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Hey there
Defrost frozen foods in minutes safely and naturally with our THAW KING™.
50% OFF for the next 24 Hours ONLY + FREE Worldwide Shipping for a LIMITED time
Buy now: thawking.online
------=_NextPart_edb971570eb340da2a06bbae29c69d5a--
Thank you.
Re: isLogged() inside mail.php
Posted: Fri Oct 02, 2020 2:55 am
by ADD Creative
If you can't work out what is sending the email from the subject, then probably the quickest way is to temporarily add.
Code: Select all
trigger_error('Mail route: ' . $_GET['route']);
To system/library/mail.php just after.
Then make sure display errors is off and log errors is on and every time the mail function is used you will see an entry in your error log telling you which controller called send.
Code: Select all
PHP Notice: Mail route: information/contact in system/library/mail.php on line 50
If $_GET['route'] does not show anything then try $_SERVER['REQUEST_URI'].
Re: isLogged() inside mail.php
Posted: Fri Oct 02, 2020 1:25 pm
by za miksica
OK thank you so much, will try that!