Some people must have found out a way of sending emails via the contacts web form in the latest build of Joomla without using the online web form itself and are automatically generating junk and emailing it to contacts. Since updating lots of websites to the latest 1.0.15 build of Joomla I've been getting complaints from people setup as contacts in Joomla and I'm now receiving them myself too. A typical example might look like the following:

From: "owdddxfhe" <>
Subject: Joomla Contact Name: JxsfjjFqOfU
Date: Thu, October 9, 2008 6:28 am
To: joomlacontactemail@hisgenuineemailaddress

This is an enquiry e-mail via from:
owdddxfhe <>

D03fEp pboaurxgkwae, [url=]vyajbkyllbpk[/url],

As you see though- its literally all junk text - just annoying that I now receive one from each joomla contact per website everyday now. Would really appreciate if someone could look into this. This has been going on for a while now- I've just got round to reporting it- sorry for the delay.

Opened On:
13 Oct 2008, 9:37 by Richard Hall

Filed Under

  • Administrator
  • Apache 2.2.x
  • Components
  • MySQL 5.1.x
  • PHP 5.2.x


Posted on 16 Oct 2008, 9:34 by Richard Hall
It seems that for them to send their spam their program conducting the offence must be loading a page, storing a session cookie, extracting the 33-character spoof string checked by josSpoofCheck(1) within the sendmail() function inside /components/com_contact/contact.php - therefore the system is pretty weak and has just been worked around - perhaps they've only done it to prove a point? I don't know but I'd certainly appreciate if we could implement a stronger system to defeat computer-generated spamming before it gets out of hand. Perhaps some kind of Captcha image verification system would be appropriate.
Posted on 23 Oct 2008, 3:37 by Richard Hall
I know there are some different components available in Joomla that enable people to use captcha image verification and because this post hasn't had any visible response or assignment I've gone down that route, but really if we're having the contact forms component as part of the standard distribution it should be equipped to be able to work with captcha without me needing to modifying the core source files to make it work. Perhaps the relevant places could use some sort of hook mechanism that captcha plugins could take advantage of? Obviously these could include user registration, forgotten password, submitting comments and alsorts of places.