View Single Post
Old 26 Feb 2016, 01:32
edgeless edgeless is offline
Join Date: Mar 2013
Well, contrary to what I reported above, the problem wasn't resolved after all. But it is now. As it turns out, removing the mentioned code from the blog_show_entry template only had the effect of eliminating the "Email blog entry" links from blog entries. When I decided to test my fix by temporarily removing my IP filter blocking strings I was disturbed to find that the spammer was still able to commandeer the vB blog email provision to send huge amounts of spam through my forum. So I set the IP filtering again - I have been blocking the entire subnets btw. But the spammer eventually changed subnets and resumed. And he did this over and over. I would block a subnet and the spammer would in turn change the subnet he was using to send the spam messages. This happened 4 times... each of the 4 octets were entirely different every time he came back. And it was easy to tell it was the same guy because each subnet was owned by the same Internet company from the Philippines and the outgoing spam messages were identical.

Surprisingly, there seems to be little about this vB blog vulnerability on the searchable Internet (that I've found, at least). But by just looking over the blog templates, the fix seemed obvious to me. And I will tell you, I was very much hoping that what seemed might be the answer would in fact solve the problem! Thankfully it did

So here's the confirmed fix:

1. Go ahead and do that first part I posted about by editing the blog_show_entry template and removing the following code:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

2. Now edit the blog_send_to_friend template and delete its entire contents, then save your changes. <- That's the part that I considered an obvious thing to try.

3. Perform steps 1 and 2 on every style that is active on your vB forum site.

So performing the above simple steps really seems to do the trick. It entirely disables email for the blog component, including the vulnerability. I've removed all of my filter blocks for the spammer's IP ranges and everything seems quite secure now.

One thing I don't understand is how this vulnerability allows spammers to hijack a forum site's mail sending mechanism through the vB blog component. I enabled human verification and it worked fine at members level for access to the 'Email blog entry' function. But the spammer was somehow still able to send spam messages like mad through the system. It would have been nice if vB had detected this vulnerability and mitigated it when they were still focusing on vB 4.x.x. But short of that, it would have been nice if they had included an easy option to toggle off email functionality within the blog component. But they clearly did neither.

I wonder how much of this issue is affecting forum owners who may not be aware why the email BL reputation of the IP they send their mail from is diminishing. If admins don't watch for this they may not even know it's happening. I happen to be someone who closely monitors my outgoing mail, so thankfully I noticed when it hit and I began trying to find a way to resolve it.

Again, I hope this thread helps someone at some point.

Last edited by edgeless; 26 Feb 2016 at 01:40.
Reply With Quote