Anyone else getting spammed on form submissions?

Yes, us too. And apparently there is absolutely nothing they can do about it. We've had to turn off our calendar submissions but that still doesn't stop anything since they are getting in the back door. All of our Analytics are now rubbish, we're getting emails from Google analytics and Bing as they're spotting copyrighted content, and we're getting calls from customers that can't place their calendar submissions. My next step will be to see if we can get at least some sort of refund or lower payments due to the headache this has created. It is atrocious. 

And I should note the two hacked spots. People are creating accounts which in turn is sending email notifications which include nothing but porn and they are also creating calendar items for streaming events. Sadly, those created accounts are also getting used for our newsletter which is creating a bunch of bounces. The worst of it all is, our website does little to nothing for us, it is merely a headache we have to deal with in order to collect the very small amount it makes us.

For a site NOT on Townnews I use a simple "What is Three plus Seven" type form entry, that is generated on the fly.  It passed the question to the form processor which checked to see if the answer is correct.  I don't pass the answer, just the full question.  The 3 words are semi-randomly generated from a list of possible terms.  For one site that was worried they would miss things, I still sent all of the submissions, but if the answer was wrong, it changed the subject to "[suspect] Rest of subject here" instead of the "Rest of subject here" subject it normally sends.

How to do this on Townnews, I don't know.  It should be fairly simple for them to come up with a system that requires someone to answer a semi-random question.  This will foil most bots these days.

We just got hit with another round of spam on multiple forms. In this case, it does feel like straight spam, but aside from requiring login, which can be a turn off for real people, we don't have any options to control this. I would really like to see a verification step available on these forms to be able to manage this. (Even this platform has a place to enter letters from an image!)

We've started having the same issue today too, and we haven't found a way to stop it. If someone can give us a better verification system, that would be awesome.

The spammers are attacking a number of minor exploits in the TownNews bloxCMS codebase. In conjunction with an html exploit it turns our bloxCMS sites into the spammers publishing site.

The best thing to do for now is to remove the file attachment widget from any of your bloxCMS hosted forms.

Also review any of the form submissions that accepted file attachments in the past and if the attachments are not important mark the form submission as deleted. According to customer support while form submissions are never deleted from the system the file attachment on the form submission should hard delete after 7 days.

Please note that while you mark those form submissions with file attachments as deleted they may still be available to anyone on the internet and searched by the major search engines.

And now the inevitable "your site has been hacked" emails are starting to flow in.

I've added the highlighting

So just to clarify, this is happening due to allowing users to upload attachments? I hope this gets resolved for you. A few years back our calendar system was hacked allowing them to create accounts. It was never resolved. In my case I believe it was due to the fact that TownNews was setting up their partnership with the Evvnt calendar system. So we had the option to keep using the TownNews calendar system, and hope it doesn't keep getting hacked, which it would, or switch to Evvnt. Obviously we switched. The negative effects of that were 1) we no longer make money on our calendar submissions (we of course could break even maybe if we paid more) and 2) all of those hackers accounts counted as user accounts for our weekly newsletter which in turn raised our rates due to the "false" number of users. So I suggest if they are getting in as users, you may want to look into that to save you from paying more for the fake users.

Hi Randy!

Yes. 

Allowing any file attachments on any form submission.

From what I can tell its affecting a number of TownNews bloxCMS hosted web sites. Half of one of TownNews' major clients newspaper websites are affected.

It is why form spammers are testing TownNews hosted sites looking for that file attachment widget. (I am not a TownNews employee.)

The shame is a simple DISALLOW in the robots.txt file would stop the symptom - eventually stopping the cause.

The second shame being that form submissions marked as deleted continue to serve their file attachment(s) to the internet at large.

A "shadow file storage system" is useless if the internet can't search for it.

Thank you Rick. Luckily we don't use that feature so we're in the clear. I hope it gets fixed for you soon and I also hope that the "fix" doesn't involve another 3rd-party site hosting these files. If so, that's not good at all.

Yay!!!

Will removing the file link from the form submission receipt stop Goggle and other search engines from indexing it?

Thank you, Joe, for the update. I just removed our upload fields on forms until the fix goes out.

By the way if you want to check your site it is a simple process.

I recommend using a web browser you don't normally use and ensure that there are no saved credentials in it. Disable Roboforms if you have it. 

Or use an incognito tab in a web browser.

open google in that web browser or incognito tab

We are going to perform a site specific search

In the search box type in

site:https://www.collegian.psu.edu/content/tncms/assets/v3/form/

it begins with "site:"

Replace our domain name with yours.

You may need to use http or https - depends on how your site is configured

You may not need to use the www. - depends on how your site is configured

Press the enter key and see what comes up.

The part of the url "/content/tncms/assets/v3/form/" appears to be where all file attachments of all form submissions appear to be stored at to google search.

I've seen v4 on some sites. They may be Total CMS members, but I don't know.

Should any results come up. Hover your mouse over the link and you will see that they typically end with something like:

• .upload_file-html.html
• .upload_file-pdf.pdf

The html files are particularly 'nasty.' They contain a specially crafted image tag to take your visitor to some other site using an html exploit.

Well, this explains why our readers have not been able to upload photos into our contact form. This has been a very effective way of generating engagement.   This is very disappointing. Will there be another way to submit photos instead of just email?

Also, I'm annoyed that we were not notified of this change. Instead, we have assumed the problem was on the readers end. 

@jesus, we have not removed the ability for you to have file uploads on forms. What we removed was the link to the uploaded file in the receipt email. Images can still be uploaded, and you can access the image in the Form Submissions application within Blox. If you have an issue with users uploading images, please submit a ticket to our CS team to have them take a look at your specific forms.

Thanks,

Joe Hansen