Posted on

WordPress Locator Improves Email Link Security

SLP4 Banner

Store Locator Plus version 4.2.27 has been released with a focus on improved email link security.

Upgrade To SLP 4.2.27 Now – Prevent Spam

The current release of Store Locator Plus removes the send-email script from the product due to security concerns.  If you are running any version of Store Locator Plus between version 2.1 and version 4.2.26 you are potentially allowing spammers to use your Store Locator Plus installation to send spam through your server.    A script the takes advantage of a loophole in the WordPress nonce controls has been forwarded to CSA by a security expert that provides an example of how a third party can grab the nonce and leverage this to send email through the send-email.php script to/from any email address they choose.  This script is published online though it has not yet been announced to the general public.    SLP 4.2.27 removes this vulnerability completely from the base plugin AND prevents a similar hacking methodology from being employed when using the new Enhanced Results popup email form that is coming out this week.

If you are using a version of the popup email forms from older versions of the Pro Pack, the email forms will no longer function due to the closure of this security vulnerability.    The new Enhanced Results popup email form provides more form control options, is a modal JavaScript dialogue box, and protects the email addresses of your location contacts from being exposed on the locator interface.

Other Notable Updates

In past releases of the base plugin, any locations that included a contact email address would display the address as a basic mailto: hyperlink is the map results with the email address rendered in plain text in the map results.    Sites that displayed location results by default, which is the preferred setting on most locator websites, would be prone to page scrapers that could collect these email addresses.

Store Locator Plus version 4.2.27 has replaced the plain text email address output with the word “email” that is linked to the email address.   The label that is used can be changed via the User Experience / Results tab to be any text the site administrator chooses.    Not the most secure way to prevent page scraping but an improvement.  However, the 4.2.27 release also lays the foundation for the imminent Enhanced Results update.    The forthcoming Enhanced Results update provides several email link rendering options including a way to revert to the legacy “show the email address in the results” option (how version 4.2.26 and earlier worked) as well as a completely revamped popup email form that eliminates some additional security issues that were present in the prior iteration of the popup email system that has been in place for the past 3 years.

In addition, Store Locator Plus 4.2.27 removed the hard-coded JavaScript email form which reduces the browser memory consumption for site visitors that used the store locator.   The new form implementation allows for more control and better interface designs in the future without having to modify inline JavaScript files.    New forms can be augmented via standard WordPress filters in PHP.

Other updates to Store Locator Plus 4.2.27 include further refinements to the add-on framework with embedded methodologies for deploying custom locator-specific JavaScript from within add-ons, better user interface controls, more WPML integration element for multi-lingual support, AJAX framework updates, and more hooks-and-filters that allows for the add-on packs to do more through the base plugin with less memory consumption and simpler code design.

Look for more updates to the add-on packs as they leverage the new add-on framework improvements.    If you are a Premier Subscriber you can also expect to see several new add-on packs in 2015.

Store Locator Plus Changelog

Posted on

AWS gMail Relay Setup

SMTP Relay Banner

After moving to a new AWS server I discovered that my mail configuration files were not configured as part of my backup service on my old server. In addition my new server is using sendmail instead of postfix for mail services. That mean re-learning and re-discovering how to setup mail relay through gmail.

Why Relay?

Cloud servers tend to be blacklisted. Sure enough, my IP address on the new server is on the Spamhaus PBL list. While Amazon allows for elastic IP addresses, a quasi-permanent IP address that acts like a static IP, which can be added to the whitelist on the Spamhaus PBL it is not the best option. Servers change, especially in the cloud. I find the best option is to route email through a trusted email service. I use Google Business Apps email accounts and have one setup just for this purpose. Now to configure sendmail to re-route all outbound mail from my server to my gmail account.

Configuring Amazon Linux

Here are my cheat-sheet notes about getting an Amazon Linux (RHEL flavor of Linux) box to use the default sendmail to push content through gmail.

Install packages needed.

# sudo su -
# yum install cyrus-sasl ca-certificates sendmail make

Create your certificates

This is needed for the TLS authentication.

</p>
# cd /etc/pki/tls/certs
# make sendmail.pem
# cd /etc/mail
# mkdir certs
# chmod 700 certs
# cd certs
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs/ca-bundle.crt
# cp /etc/pki/tls/certs/sendmail.pem /etc/mail/certs/sendmail.pm

Setup your authinfo file

The AuthInfo entries start with the relay server host name and port.

U = the AWS server user that will be the source of the email.

I = your gmail user name, if using business apps it is likely @yourdomain.com not @gmail.com

P = your gmail email password

M = the method of authentication, PLAIN will suffice

# cd /etc/mail
# vim gmail-auth

AuthInfo:smtp-relay.gmail.com "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"

# chmod 600 gmail-auth
# makemap -r hash gmail-auth < gmail-auth

Configure Sendmail

Edit the sendmail.mc file and run make to turn it into a sendmail.cf configuration file.  Look for each of the entries noted in the sendmail.mc comments.  Uncomment the entries and/or change them as noted.    A couple of new lines will need to be added to the sendmail.mc file.   I add the new lines just before the MAILER(smpt)dnl line at the end of the file.

Most of these exist throughout the file and are commented out.   I uncommented the lines and modified them as needed so they appear near the comment blocks that explain what is going on:

# vim /etc/mail/sendmail.mc
define(`SMART_HOST', `smtp-relay.gmail.com')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl

Add these lines to the end of sendmail.mc just above the first MAILER()dnl entries:

</p>
<p style="padding-left: 30px;">define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">FEATURE(`authinfo',`hash -o /etc/mail/gmail-auth.db')dnl</p>
<p style="padding-left: 30px;">

If you are using business apps you may need these settings to make the email come from your domain and to pass authentication based on your Gmail relay settings.    These are also in sendmail.mc:

MASQUERADE_AS(`charlestonsw.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(charlestonsw.com)dnl

Make the configuration-helper into a sendmail.mc file and restart sendmail:

# make
# service sendmail restart

Configure Gmail Services

This is for business apps users, you need to turn on relay.

Go to “manage this domain” for your business apps account.

Go to “Google Apps”.

Click on “Gmail”.

Click “advanced settings”.

Find the “SMTP relay service” entry.    Add a  new entry.

Only addresses in my domain, require SMTP, require TLS all need to be selected.

Give it a name.

Save.

Save again.

Posted on

Website Email Issues at CharlestonSW.com

Spamhaus Banner

I’ve been getting a lot of reports from users that are not getting their email notifications when resetting a password. Or they never get their license key email. Or forum notifications. Not everyone has this problem, but enough users that I decided to take a break from coding Store Locator Plus 4.0 and figure out what was going on.

Spamhaus PBL

Turns out Spamhaus PBL was the culprit. While some site administrators may be familiar with spam block lists (or blacklists), the lesser known sibling can be just as much of an issue. Unlike the spam block list (SBL), the policy block list (PBL) lists millions of IP addresses as potential sources of spam. Unless you are a large company with a static IP block that is known to be well controlled there is a good chance your IP address is on the PBL. Especially if you are using shared hosting or virtual hosting.

It turns out the IP address for the charlestonsw.com web server is on the PBL. In fact the ENTIRE set of Microsoft Azure services is on the PBL. The general consensus is that the IP addresses are far too dynamic and cloud hosting is a prime breeding ground for the festering wound of the Internet known as spam houses.

Being on the PBL is not an indication that a site is in any way related to spam or that the server on which it resides may host a spamming company. It simply means that the propensity for spam to originate from some server within the IP block is high, mostly because the IP address may be shared at some future date with other companies that are spam houses.

Many companies have expanded their email black list services beyond the typical “block any site/server on the SBL” to “block any site on ANY block list, or *BL” including the PBL. This is a good policy for strict email controls over spam, but it certainly drops a lot of “good email” originating from cloud hosted sites and services. Like Charleston Software Associates.

User Side Fixes

If you are not getting email from charlestonsw.com you should add the server www.charlestonsw.com and charlestonsw.com to your email whitelist. You can also add info at charlestonsw period com if you have an email-specific whitelist. However there are emails coming from the web system that are not reading the info at charlestonsw period com header and may originate from other sources.

Business Side Fixes

What I am working on from the server side is getting the web server to push email out through a specific Google Apps web mail account. This required setting up a specific email account at Google Apps, enabling the account for relay, configuring the mail server to connect securely to the Google account and push email messages out on that server.

This is required because the Windows Azure cloud hosting does not support static IP addresses. While the IP address is persistent it can change. As such the Charleston Software Associates server cannot be put on the PBL “good neighbors” list. This requires more work, more expense, and more drastic measures. This is one more feather in the Amazon Web Services (AWS) cloud hosting cap. AWS still proves to be far ahead of the competition when it comes to the cloud hosting space. When it is time for an upgrade the CSA services will be moved to Amazon.

Maybe after the Store Locator Plus 4.0 release is done.

Posted on

Yahoo Supports Spammers? Sad but true…

Back in the day when Yahoo was still a teenager, that is about 5 years ago in Internet time, Yahoo! used to provide simple ways to report abuse from their user base. Getting spammed like crazy from “ijustsendspam@yahoo.com”? Go to the Yahoo Abuse site and you were quickly directed to a form to report the incident along with any evidence.  Within a few weeks the user would be gone.

That was then.   We are in a different era now.  Yahoo is now a crusty old man, and a feeble pissed-off one at that.    The younger, stronger Google has come in an taken over their executive seat on the board and put them on the path to retirement where they are destined to circle the buyout waters on the cruise ship of indifference.

Today when you get spammed, receive death threats, get 300 notices every hour posted to your blog or online forum to buy enough V1Agra, C1Al1s, or other meds at the senior citizen’s online discount center (probably hosted at Yahoo) you can start the same “report abuse” process.  However, today the old senile Yahoo simply runs you through a few questions to pretend they give a damn and give you canned web knowledgebase response that says “Click the report spam button on your browser”.   Very useful crusty ol’ Yahoo, very useful indeed.

So now there are thousands of spammers that no only sign up for new Yahoo! accounts every day, but THEY NEVER GET BANNED.   It is nearly impossible to report any form of abuse and Yahoo obviously doesn’t care.

The only trick I found to even send a message to Yahoo is to report use from a Deceased User, answer the right follow-on questions in the right-way, and fill out a 13-part form to prove to Yahoo! that you are not trying to spam them or create false posts obviously worried that their own “IAMGoingToSpamTheShitOutOfYou@yahoo.com” user might use these forms to spam them to death.

Have you found an easier way to report abuse or spam by a Yahoo user?  Let us know?  In the meantime please feel free to email lq512@yahoo.com and send back some spam an abusive emails his way for sharing his spamming efforts with us.

 

Posted on

Diagnosing “savemail: cannot save rejected email anywhere”

We recently ran into this message on one of our development servers.   There are a number of reasons this may happen and finding the right solution means finding the cause of the error.  These steps will help you isolate the cause of the error so you can start tracking down the proper solution.  In our case an errant application was not sending the from: field in the mail header thus causing the message to fail the basic mail format checks.

Checking Aliases

First make sure you have the following entries in /etc/aliases:

# Basic system aliases -- these MUST be present
MAILER-DAEMON:    postmaster
postmaster:    root

If these entries are present, try running these commands:

# sendmail -bv MAILER-DAEMON
# sendmail -bv postmaster

It should come back immediately with a message like the one below:

postmaster@cybersprocket.com... deliverable: mailer relay, host [127.0.0.1], user postmaster@cybersprocket.com

If it does not, rebuild the aliases database by running the newaliases command:

# newaliases

Forcing A Resend With Logging

Failed messages remain in the mail queue directory for examination by the system administrator. Sendmail renames the header of the queued message from qf* to Qf*, making it easy to identify these messages in your mail queue.  You can easily list the failed messages with the following mailq command:

# mailq -qL

To diagnose, locate the offending message ID in the log (/var/log/maillog) or by using the mailq -qL command.

Rename the matching Qf<message_id> file to qf<message_id>, and execute the following command:

sendmail -v -qI<message_id> -d11

The Problem Revealed

You should now have a detailed log file indicating what the source of the problem was.  In our case we see the From: line in the mail header is blank:

>>> MAIL From:<>
501 Syntax error in arguments
Data format error

Hope that helps. Good luck!

Posted on

Google Spam Filter FAIL

My favorite tech company has fallen off their pedestal and their new-found ego is going to give them a big ugly black eye.   The tech community is quickly becoming disenchanted with the ways of Google, thanks in a big way to the ultimate FAIL of the Google Spam Filter.    It turns out that Google decided the previously intelligent spam filter was not intelligent enough.   Obviously they decided that it needed to think more like a human.  And by more human-like we mean MAKING MISTAKES.  And big ones at that.

We started to realize about 3 weeks back (Last week of April, 2011) that some client emails were not showing up.   We assumed it was just an errant send from the other end.  You know, HUMAN ERROR.  Well it turns out that we had become so accustomed to Google’s spam filter being nearly flawless that we never thought to even check our spam folder.

Well we should have.  There was not only the missing client emails in the spam folder, but dozens… literally dozens… of other legitimate emails in there.  Sales leads.  Customers trying to contact us, and a LOT of customers complaining about not getting their product license.    Hmmm…  that’s odd.   We normally get one complaint/month about a license not going out.  A robot sends those out for us automatically when someone purchases a product.    But for some reason a half-dozen clients in less than a week did not get their license.

Then a client complained we never gave them a project update.  We did.  We sent MANY updates.   They were PISSED.   I resent the message.  The didn’t get them.   Then the lightbulb went off… “did you check your spam folder?”.    Turns out the client is using gmail and YES, ALL of our message are in their spam folder.    That was odd.  We are on their contact list & they are on ours.   Yet Google spammed us.

Then we went and looked at all the complaints about not getting a license.  Guess what?  ALL gmail people. Every one.    Then we noticed that any of our employees, customers, or clients that use gmail were not only getting legitimate messages put in the spam folder but that blatant spam was getting into their inbox much more frequently than before.

We are pretty damn certain that Google changed the spam filter across the board.  Luckily we have a paid Google mail account so we have support.  Or so we thought.  It turns out our contact refuses to admit they changed anything.  He has not said that they did NOT change anything, but after more than a week of back-and-forth he has pointed the finger at us EVERY TIME.  We have literally had to change or explain over a half-dozen settings, like why our MX records are on our server, the fact that the spam filter is turned off on our server, the fact that our gmail account allows for relay and incoming email from our email server IP.   Every time we tell him “GOOGLE CHANGED THE SPAM FORMULA” we get another “did you check <blah> answer.

Obviously Google didn’t do anything wrong.  There is no way they changed the formula, right?

Well HUNDREDS of posts on the Internet are creating a buzz that says otherwise.  Maybe we are wrong, but something smells of Google having just opened a can of rotten spam and they are going to have a bitch of a time getting that one back in the can.

Follow The Story Online

Twitter #GMAILFAIL

Google Spam Filter