Spam email enqueued in Message Queue

9 个月 前
Reference Image: https://im.ge/i/bug.jwhR4

I noticed something at my customer site that could be a possible security bug. Every often, an email gets inserted in to the email queue by a spammer (see image). The Storefront has multiple email accounts configured and the from/to address on the spam message is the email account marked Default.

How is the spammer able to insert this message in the message queue? Is it a security bug?

Note: This is a production website. All passwords are sufficiently strong. No default passwords used.
9 个月 前
For "Contact Us" messages, the from/to address will be the email account marked Default.  The Reply To is the customers email.
9 个月 前
New York wrote:
For "Contact Us" messages, the from/to address will be the email account marked Default.  The Reply To is the customers email.


I am aware of this. The point is that the message is not really a message generated by NopCommerce.

The text of the message indicates that it is from someone trying to sell services to my customer. Here is the text of the message:

Hello!  <customer name masked. It is addressed to the Customercare email>

Did you know that it is possible to send business proposal completely legally?
We provide a new unique way of sending business offer through contact forms. Such forms are located on many sites.
When such requests are sent, no personal data is used, and messages are sent to forms specifically designed to receive messages and appeals.
also, messages sent through communication Forms do not get into spam because such messages are considered important.
We offer you to test our service for free. We will send up to 50,000 messages for you.
The cost of sending one million messages is 49 USD.

This message is created automatically. Please use the contact details below to contact us.

Contact us.
Telegram - @FeedbackMessages
Skype  live:contactform_18
WhatsApp - +375259112693
9 个月 前
I am quite embarrassed to have just realised that the messages are sent simply by filling out the Contact Us form on the website. The Contact Us form was disabled and someone seems to have inadvertently brought it back on.

There is no Security issue.