hours, totalhours changed

chris — Fri, 28 Mar 2014 18:58:34 GMT

hours changed from 0.0 to 0.15
totalhours changed from 0.0 to 0.15

The Transition Culture site also appears to be sending out spam, see ticket:656, Sam installed wordfence to block it there.

I have glanced through the logs and haven't found the POST/GET's related to this spam, my guess would be that the site has been compromised, but more time is needed to track the cause of this down.

cc changed

ed — Sat, 29 Mar 2014 20:17:13 GMT

cc sam added

laura — Sun, 30 Mar 2014 10:15:09 GMT

Not sure if this is the same issue that Fi contacted me about this
weekend, (contact form spam - Fi receiving some odd messages in russian)
- so as a temp fix until back at the desk next week, have added some
askimet checks to the name/email field for the contact form (It's really
basic and may not make any difference) and the simple quiz.
There is a more secure contact form plugin which I may set up and config
this week which works well to thwart spammers (eg - works better with
askimet as contact form 7 isn't that great when spammers start using the
form, it also has a hidden but accessible for screenreaders field for
trapping bots and other elements too
https://wordpress.org/plugins/si-contact-form/), and if needed can add
Perishable Press's 5G blacklist to htaccess too.
Laura
On 29/03/2014 20:17, Transiton Technology Trac wrote:
> #709: Reconomy sites appears to be sending out spam
> -------------------------------------+-------------------------------------
>             Reporter:  chris          |                      Owner:  chris
>                 Type:  maintenance    |                     Status:  new
>             Priority:  critical       |                  Milestone:
>            Component:  Parrot server  |  Maintenance
>             Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>          Total Hours:  0.15           |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by ed):
>
>   * cc: sam (added)
>
>

hours, totalhours changed

chris — Mon, 31 Mar 2014 09:57:34 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.15 to 0.4

Replying to laura:

Not sure if this is the same issue that Fi contacted me about this weekend, (contact form spam - Fi receiving some odd messages in russian)

Yes I expect it will be, the messages she will have got will be the ones that got through the filters at the transitionnetwork.org mailserver - mx1.spamfiltering.com.

so as a temp fix until back at the desk next week, have added some
askimet checks to the name/email field for the contact form (It's really basic and may not make any difference) and the simple quiz.

I got three returned emails yesterday, see the end of this message.

There is a more secure contact form plugin which I may set up and config this week which works well to thwart spammers (eg - works better with askimet as contact form 7 isn't that great when spammers start using the form, it also has a hidden but accessible for screenreaders field for trapping bots and other elements too https://wordpress.org/plugins/si-contact-form/), and if needed can add Perishable Press's 5G blacklist to htaccess too.

Thanks, looking at the emails below it does look like a spam bot has signed up for an account and then used the contact form to send a email to fionaward@… and then the transitionnetwork.org mailserver at mx1.spamfiltering.com has bounced it back to the web servers root email address as the messages contain "An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com".

These are the three returned emails from yesterday:

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 00:51:49 +0000
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
  fionaward@transitionnetwork.org
    SMTP error from remote mail server after end of data:
    host mx1.spamfiltering.com [212.113.130.124]:
    550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
        by parrot.webarch.net with local (Exim 4.80)
        (envelope-from <recon@parrot.webarch.net>)
        id 1WU3yO-0003lS-52
        for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 00:51:40 +0000
To: fionaward@transitionnetwork.org
Subject: slots27
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 00:51:40 +0000
From: roulette40 <mtollui@www.reconomy.org>
Message-ID: <c2f84bd0a251e665b87ed4dade5f3ded@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: roulette40 <mtollui@www.reconomy.org>
Subject: slots27
Message Body:
интернет казино gambling, игровые автоматы бесплатно регистрации <a href= http://pobedim15.sleepingteensex.com/item1393.html >играть в
+игровые автоматы вулкан онлайн на деньги</a> игровые автоматы играть бесплатно www <a href= http://pobedim15.sleepingteensex.com
+>Лягушки Игровые Автоматы</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 09:03:29 +0100
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
  fionaward@transitionnetwork.org
    SMTP error from remote mail server after end of data:
    host mx1.spamfiltering.com [72.249.150.158]: 550 An address in this message (at sleepingteensex . com) is listed on
+sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
        by parrot.webarch.net with local (Exim 4.80)
        (envelope-from <recon@parrot.webarch.net>)
        id 1WUAiD-0004qV-3r
        for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:03:25 +0100
To: fionaward@transitionnetwork.org
Subject: poker3
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 08:03:25 +0000
From: slot7 <lxabaf@www.reconomy.org>
Message-ID: <bd0b74beb416f4aec759cfbde93516d1@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: slot7 <lxabaf@www.reconomy.org>
Subject: poker3
Message Body:
игровой автомат одноглазый джо <a href= http://pobedim16.sleepingteensex.com/entry1056.html >игровые автоматы на деньги для андроид</a>
+азартные игры игровые автоматы играть бесплатно онлайн <a href= http://pobedim16.sleepingteensex.com/entry1352.html >игры онлайн нарды
+длинные на деньги</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>
Date: Sun, 30 Mar 2014 09:27:34 +0100
To: recon@parrot.webarch.net
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
  fionaward@transitionnetwork.org
    SMTP error from remote mail server after end of data:
    host mx1.spamfiltering.com [212.113.130.124]:
    550 An address in this message (at sleepingteensex . com) is listed on sbl-multi.rbl.spamrl.com. Please organise removal and retry.
------ This is a copy of the message, including all the headers. ------
Return-path: <recon@parrot.webarch.net>
Received: from recon (uid=1006)
        by parrot.webarch.net with local (Exim 4.80)
        (envelope-from <recon@parrot.webarch.net>)
        id 1WUB5X-0005v2-Te
        for fionaward@transitionnetwork.org; Sun, 30 Mar 2014 09:27:31 +0100
To: fionaward@transitionnetwork.org
Subject: roulette97
X-PHP-Originating-Script: 1006:class-phpmailer.php
Date: Sun, 30 Mar 2014 08:27:31 +0000
From: slot26 <jahpll@www.reconomy.org>
Message-ID: <ef6b87b1857fa47f7019f3155811835a@www.reconomy.org>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: slot26 <jahpll@www.reconomy.org>
Subject: roulette97
Message Body:
казино мелонати или онлайн казино с бездепозитным бонусом <a href= http://baraban12.sleepingteensex.com/info890.html >играть покер
+онлайн на реальные деньги отзывы форум</a> казино goldsmir <a href= http://baraban12.sleepingteensex.com >Слоты играть на деньги
+рубли</a>
--
This mail is sent via contact form on REconomy http://www.reconomyproject.org

hours, priority, totalhours changed

chris — Tue, 01 Apr 2014 11:58:30 GMT

hours changed from 0.0 to 0.1
priority changed from critical to minor
totalhours changed from 0.4 to 0.5

No new bounces, downgrading Priority to minor.

status changed; resolution set

chris — Mon, 02 Jun 2014 09:18:17 GMT

status changed from new to closed
resolution set to fixed

This is no longer an issue.

Transition Technology: Ticket #709: Reconomy sites appears to be sending out spam

hours, totalhours changed

cc changed

hours, totalhours changed

hours, priority, totalhours changed

status changed; resolution set