Somewhere it appears that a spam bot has gotten ahold of a link for Forwarding one of our campaign messages. It’s always the same message.
We don’t really use/need the Forwarding page, though. Is there a way to turn it off altogether? Or at least to disable it for a specific message?
(Yes, I can remove the links from new emails, but that doesn’t stop existing links from being spammed.)
Thanks,
J
OK… do you happen to know but what ‘page’ it is? The URL for the forward function is just a query parameter passed into…the main PHPList location on our site.
I was hoping that there would just be a PHP file I could rename. 
@J8334SWC This should block access to the forward page
RewriteCond "%{QUERY_STRING}" "p=forward"
RewriteRule ^.*$ - [F,L]
That needs to go in the .htaccess file in the “lists” directory.
Thanks! That appears to have done the trick - I get an error 403 - Forbidden now.
Well darn it… I’m stilling getting messages that a campaign was forwarded.
<email> has forwarded message 358 to <other email>
It’s always the same campaign - one from a number of months ago. So could the bot have recorded the specific URL somehow, and not be going through a PHP processor to get to the page? Or could it have recorded the specific page submission structure so that it’s not even using the forwarding page, but submitting directly to the backend process?
@J8334SWC Can you look at the web server access log to see the request that caused phplist to send that email. You should have a time to help narrow down the search.
Haven’t gotten back to this yet. Rather back burner. Maybe soon.
A good while later… I think I found the access logs you spoke of. There’s nothing immediately obvious in there, to me. Here is a chunk from today’s log. I got an email about the message being forwarded at 14:00 (my time - which appears to match the server’s time as well). The log does seem to have entries that correspond. However, in other chunks of this log, from other days, I wasn’t able to find entries that seemed to match the Forwarded Message email I get. And there are other entries in the logs which seem to indicate the same Message Forwarded… query to our system, but which apparently didn’t trigger an email to me. (I only got one today; the log seems to indicate 3 or 4 calls to the ‘forward’ query parameter.)
Here’s a chunk of the log that encapsulates the 14:00 time period:
> 109.70.100.31 - - [13/Jul/2021:13:33:26 -0700] "GET /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2898 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
> 109.70.100.31 - - [13/Jul/2021:13:33:32 -0700] "POST /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2594 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
> 69.5.107.187 - - [13/Jul/2021:13:39:35 -0700] "GET /<PHPList install path>/ut.php?u=5e1d158020e64f95ba31a8ca0d28812d&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)"
> 66.102.6.54 - - [13/Jul/2021:13:42:44 -0700] "GET /<PHPList install path>/ut.php?u=00f2c729667f437fd8dc5198ef22f0d0&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)"
> 71.56.136.30 - - [13/Jul/2021:13:43:09 -0700] "GET /<PHPList install path>/ut.php?u=be8371c7b2dcef54afbab30cacd4d543&m=459 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)"
> 71.56.136.30 - - [13/Jul/2021:13:43:09 -0700] "GET /<PHPList install path>/ut.php?u=be8371c7b2dcef54afbab30cacd4d543&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)"
> 71.56.136.30 - - [13/Jul/2021:13:43:08 -0700] "GET /<PHPList install path>/ut.php?u=be8371c7b2dcef54afbab30cacd4d543&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)"
> 116.179.32.37 - - [13/Jul/2021:13:58:30 -0700] "GET /other/FoodWineMenuAug20.pdf HTTP/1.1" 304 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
> 157.55.39.84 - - [13/Jul/2021:13:59:26 -0700] "GET /index.html HTTP/1.1" 200 45422 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> 185.220.101.147 - - [13/Jul/2021:14:00:13 -0700] "GET /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2898 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
> 185.220.101.147 - - [13/Jul/2021:14:00:22 -0700] "POST /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2536 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
> 75.145.74.213 - - [13/Jul/2021:14:10:46 -0700] "GET /<PHPList install path>/ut.php?u=931722c5cdf0532b592fc1d8372f6a27&m=460 HTTP/1.1" 200 167 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; Zoom 3.6.0; wbx 1.0.0; Microsoft Outlook 16.0.5173; ms-office; MSOffice 16)"
> 74.125.209.16 - - [13/Jul/2021:14:13:08 -0700] "GET /<PHPList install path>/ut.php?u=d4b3cb86faaad8635f3b643b6949bc49&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)"
> 162.247.74.7 - - [13/Jul/2021:14:18:06 -0700] "GET /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2898 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
> 162.247.74.7 - - [13/Jul/2021:14:18:08 -0700] "POST /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2596 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
> 114.119.135.237 - - [13/Jul/2021:14:20:15 -0700] "GET /index.html HTTP/1.1" 200 45422 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)"
> 67.195.51.154 - - [13/Jul/2021:14:20:35 -0700] "GET /<PHPList install path>/ut.php?u=29f1475bb191f1b21478759050f669a0&m=459 HTTP/1.1" 200 167 "-" "YahooMailProxy; https://help.yahoo.com/kb/yahoo-mail-proxy-SLN28749.html"
> 71.237.145.74 - - [13/Jul/2021:14:24:42 -0700] "GET /<PHPList install path>/ut.php?u=2681bb37c7896f1e4d5063cd01babe8a&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (iPad; CPU OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"
> 95.53.92.229 - - [13/Jul/2021:14:26:44 -0700] "GET / HTTP/1.1" 200 45422 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Netscape/8.0.4"
> 54.154.230.94 - - [13/Jul/2021:14:30:17 -0700] "GET / HTTP/1.1" 200 45422 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
> 204.195.69.215 - - [13/Jul/2021:14:34:10 -0700] "GET /<PHPList install path>/ut.php?u=b56377c8bcd8a975a96ef5abd5cdffaf&m=460 HTTP/1.1" 200 167 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"
> 185.191.124.153 - - [13/Jul/2021:14:35:38 -0700] "GET /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2898 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"
> 185.191.124.153 - - [13/Jul/2021:14:35:40 -0700] "POST /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2585 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"@J8334SWC Looking at these lines
185.220.101.147 - - [13/Jul/2021:14:00:13 -0700] "GET /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2898 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
185.220.101.147 - - [13/Jul/2021:14:00:22 -0700] "POST /<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358 HTTP/1.1" 200 2536 "http://EXAMPLE.com/<PHPList install path>/?p=forward&uid=<a valid UID>&mid=358" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
The IP address is suspicious, and if the GET request came from a link in an email then the referrer should be empty, but it isn’t.
I have just tried the rewrite rule again and it works for me. Are you sure that you have not inadvertently removed it? It needs to be in the .htaccess file in the “lists” directory.
Err…Well, yes, actually - it did get overwritten. There’s an auto-restore process that runs on the website. It apparently restored the backup version of the file after I had made my initial change. Doh!
I did an nslookup on some of those IPs and they are from anonymizers, DNS clouds, Google, etc.
I did make changes to the .htaccess file, and it was working - I got no ‘Forward’ messages for about two weeks. But then I started to get them again…
In this most recent case, I think what happened was that PHPList itself was updated on 7/28. (It’s set for auto-updates.) And I’m guessing that it overwrote my changes with new files. Not a huge deal, but a bit annoying.
The prior PHPList update before 7/28 was on 5/25. This appears to line up fairly well with the last time I saw this change. So will chalk it up to auto-updates.