SOS. Nopcommerce message queue got hacked!!!

MaxM wrote:
What kind of Emails?  Contact us?

It's not really a "security breach" if the spammers are using a public page (e.g. Contact Us).

I see two general types of 'spam' that can emanate from nopCommerce:

1) Messages that are only directed to you (e.g. [email protected]), which can come from Contact Us. They are spamming you.

2) Messages that could be directed to other emails but don't really contain spam. I see those only because some of them "bounce back" as undeliverable.  An example would be a 'spammer' Registering as a new user with someone else's email address.  The other person does not see 'spam' they just see a "welcome" message from your store (although they might consider it spam ;)

New York wrote:

Thanks for your help!

The emails are of two different types: 1) template email forms and 2) spam emails (with links to phishing and other harmful sites).
I understand that with Type 1) the intention is purely spam. It’s with Type 2) however where uncertainty arises. They have managed to send emails from our send email address externally which will eventually get our domain black-listed by exchange servers.

How can we prevent this from happening apart from enabling CAPTCHA and implementing the honeypot method?

I'm not sure what you mean by "externally".  If it's external, then it's not coming from nopCommerce.  Could they have hacked your email account?  Is it just them just spoofing your email address, but it's not really coming from your email account/server?    How are you even seeing those, if they are going to someone else?  Is it as per above that you're getting 'rejections' from other mail servers?

I'm not sure what you mean by "externally".  If it's external, then it's not coming from nopCommerce.  Could they have hacked your email account?  Is it just them just spoofing your email address, but it's not really coming from your email account/server?    How are you even seeing those, if they are going to someone else?  Is it as per above that you're getting 'rejections' from other mail servers?

New York wrote:

By externally I mean outside our organisation (e.g. to [email protected]).

I see the activity (i.e. the emails being sent) in the Message Queue in the nopCommerce admin section.
I also checked the login-log of that email account (on the exchange server) and no logins have been registered for the past few weeks. The email account is not an admin account, so they couldn't have deleted the log. Spoofing isn't an option either as a) I would see this on our exchange server and b) we have taken several security measure to prevent this from happening (not mentioning these because of security reasons).

I have no clue how they can send emails from nopCommerce's backend without logging in as an admin. This is obviously a security breach on the front-end of our nopCommerce shop.

RE: "to [email protected]  ...  in the Message Queue"
That can happen when a new customer Registers.  What is the subject (template) of the message - "Welcome ..."?

RE: "... checked ...the exchange server";  "...Spoofing isn't an option either as a) I would see this on our exchange server and b)..."
I don't think you understand what "spoofing" is.

New York wrote:
No the subject of the email is arbitrary text, sometimes Cyrillic letters sometimes text like "  Stairs and fences made of spyglass, wood, metal". I don't know why I'm not making this clear enough but they can actually send emails through our shop to email addresses around the world! I see the messages in the message queue.

I'm a certified exchange server admin so I'm fairly familiar with what spoofing is and what not. You can prevent spoofing with security measures with SPF, DMARC etc.

I would appreciate some valuable feedback.

If they are putting messages in the message queue, then either they are doing it directly via SQL, or there's some hacked code / plugin in your system. Do you have custom code?   Check your plugins / dlls (what are the date/timestamps, file sizes - do they match original release?)

Maybe you can set up a trigger on the MessageQueue table to detect / log caller info - e.g.

  SET @ProcName = OBJECT_NAME(@@PROCID);
  SET @login = ORIGINAL_LOGIN();
  SET @app = APP_NAME();

See what I posted here
https://www.nopcommerce.com/boards/t/55043/make-forum-moderators-to-hidedelete-spams-from-forums-when-nop-team-is-not-around.aspx#238009

New York wrote:

Very helpful, thanks a lot for your help. Will check and let you know.

Hi Guys

I would suggest you check your Blog/News Comments and check the following:

1) Allow guests to leave comments
2) Blog comments must be approved
3) Notify about new blog comments
4) Blog comments per store

And check the same for news, and also make sure you enable captcha for both if you want to use these, as they will fill up your DB if you are not careful.