by David Snopek on December 13, 2016 - 1:52pm
One of the really interesting things about providing support and maintenance for lots and lots of sites is that you get to see patterns or certain issues affecting several sites, that you might not notice if you're only responsible for a handful of sites.
Not only does this add to our knowledge base of solutions when a customer has a problem, but it can sometimes allow us to preemptively find a problem before a customer even knows they have it (or point it out when we do a FREE site audit).
Anyway, here's a request we've recently gotten from a couple of customers:
Is our web site compromised?!
Our hosting provider says that we've been sending hundreds of e-mails a day that are setting off alarms with their SPAM filter.
It turns out that none of the affected websites were hacked -- it was just a matter of spammers taking advantage of a particular Drupal module: "Print Mail" a sub-module of Print.
It's not a security vulnerability - they're using normal features of the module, just at scale with automation.
If you use this module on any of your sites, or are considering enabling it, please read on for an explanation of the problem and some possible solutions.
The "Print Mail" module allows you to share articles via e-mail. Basically, it adds a "Send by email" link to your content.
When you click the link, you get a form which allows you send the article to the e-mail address of your choice. The really interesting thing, is that it lets you set a custom subject and message!
These are very tempting fields to spammers! They can't avoid the actual article content being sent, but they can add enough of their own text to get an alternate message about cheap medication or whatever across to their "victims."
Now, if you have a website with interesting content and you want people to share it, you're likely to allow anonymous users to access this functionality. All it takes is for spammers to discover this form, and they'll start using their automation tools to send as many e-mails as they can!
There's a couple!
1. Just disable it
The easiest solution is to just disable the "Print mail" module.
For all of our customers so far, this was basically enabled as an afterthought: something clever a stakeholder asked if they could have, it was easy to enable and no one really thought about the possible consequences.
Once the problems were discovered, it just wasn't valuable enough functionality to "fix" and so we just disabled it for them.
2. Set a low threshold
The authors of the module are well aware of the possibility of abuse by spammers, and have added an "Hourly threshold" that you can configure on the settings page. This allows you to limit each user to only 3 (for example) e-mail per hour.
Of course, this isn't a perfect solution, and spammers could still send 72 e-mails per day with a threshold of 3.
3. Use a CAPTCHA
Using a module like Mollom or CAPTCHA you can add a "task" to the form that the user must complete to prove that they're human, and not some automated script. While this doesn't protected against human submitted SPAM, it's probably the best defense if you want to keep this feature enabled for anonymous users.
In short: If you want to use the "Print Mail" module, be sure to consider the SPAM implications.
While there are many great Drupal modules you can just enable and not worry about this, isn't one of them! You could end up sending loads of SPAM and not even know it.
But if you don't want to debug these types of problems, either for your own site or your customers' sites, let us take care of it for you!