Today I checked my email and was alerted to a few comments posted on my photoblog. When I read through them, they didn't see to make sense. I'm not sure if it's a bug or not but I have no clue what's going on. Here's what was sent to me:

PIXELPOST <firequall@gmail.com> Fri, Sep 9, 2005 at 5:09 AM
To: admin <firequall@gmail.com>
Hello,
A new comment has been made on your photoblog.

http://www.digitallycaptured.net/?showimage=wwh@digitallycaptured.net


The Comment is:
----------------------------------------------------------------------
wwh@digitallycaptured.net Content-Type: multipart/mixed; boundary="===============0805506944==" MIME-Version: 1.0 Subject: c9dd612b To: wwh@digitallycaptured.net bcc: jrubin3546@aol.com From: wwh@digitallycaptured.net This is a multi-part message in MIME format. --===============0805506944== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit kkoh --===============0805506944==--
by wwh@digitallycaptured.net -
----------------------------------------------------------------------
Powered by Pixelpost
PIXELPOST <firequall@gmail.com> Fri, Sep 9, 2005 at 5:09 AM
To: admin <firequall@gmail.com>
Hello,
A new comment has been made on your photoblog.

http://www.digitallycaptured.net/?showimage=qzieso@digitallycaptured.net


The Comment is:
----------------------------------------------------------------------
qzieso@digitallycaptured.net
by qzieso@digitallycaptured.net -
----------------------------------------------------------------------
Powered by Pixelpost
PIXELPOST <firequall@gmail.com> Fri, Sep 9, 2005 at 5:09 AM
To: admin <firequall@gmail.com>
Hello,
A new comment has been made on your photoblog.

http://www.digitallycaptured.net/?showimage=cntsisg@digitallycaptured.net Content-Type: multipart/mixed; boundary=\"===============1288719966==\" MIME-Version: 1.0 Subject: 3b2f9248 To: cntsisg@digitallycaptured.net bcc: jrubin3546@aol.com From: cntsisg@digitallycaptured.net This is a multi-part message in MIME format. --===============1288719966== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit xfntlecrn --===============1288719966==--


The Comment is:
----------------------------------------------------------------------
cntsisg@digitallycaptured.net
by cntsisg@digitallycaptured.net -
----------------------------------------------------------------------
Powered by Pixelpost
PIXELPOST <firequall@gmail.com> Fri, Sep 9, 2005 at 5:09 AM
To: admin <firequall@gmail.com>
Hello,
A new comment has been made on your photoblog.

http://www.digitallycaptured.net/?showimage=ttivkpxddr@digitallycaptured.net


The Comment is:
----------------------------------------------------------------------
ttivkpxddr@digitallycaptured.net
by ttivkpxddr@digitallycaptured.net Content-Type: multipart/mixed; boundary=\\\"===============1065123195==\\\" MIME-Version: 1.0 Subject: 6f7bc6e1 To: ttivkpxddr@digitallycaptured.net bcc: jrubin3546@aol.com From: ttivkpxddr@digitallycaptured.net This is a multi-part message in MIME format. --===============1065123195== Content-Type: text/plain; charset=\\\"us-ascii\\\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit udiedmwxu --===============1065123195==-- -
----------------------------------------------------------------------
Powered by Pixelpost
PIXELPOST <firequall@gmail.com> Fri, Sep 9, 2005 at 5:09 AM
To: admin <firequall@gmail.com>
Hello,
A new comment has been made on your photoblog.

http://www.digitallycaptured.net/?showimage=poa@digitallycaptured.net


The Comment is:
----------------------------------------------------------------------
poa@digitallycaptured.net
by poa@digitallycaptured.net -
----------------------------------------------------------------------
Powered by Pixelpost
Any ideas on what was going on and/or what I should do? =/

these are hijack attempts.
don't panic. they fail. there is no such a vulnerability in PP.
if you want to kick them out add
// if showimage=badstuff or email to hijack!
if (isset($_GET['showimage']) && !is_numeric($_GET['showimage'])){
// show 404!
header("HTTP/1.0 404 Not Found");
header("Status: 404 File Not Found!");
// header("Location: index.php");
echo "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"><HTML><HEAD>\n<TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</H1>\nDon't do that! go back to index.php! \n</BODY></HTML>";
exit;
}
after the line reads
if($_GET['popup'] == "comment")
{
$tpl = file_get_contents("templates/".$cfgrow['template']."/comment_template.html");
}
inside index.php

I've been getting these comment spam thingys in increasing frequency. It was like only 7 a go every week or so and now its like 14 every 3 hours. I guess I have to give this a try. Thanks. :D

Hey Ramina, I've tried out your fix but I seem to be still getting the weird comment spam, I've counted 51 today. Its getting worse.

houm...
I was wondering that it was going to work....
do you use comment popup comments ?

i have the same problem since two or three weeks.
up to 30 strange email notifications a day.
i don't use the popup feature.

add
if (!is_numeric($parent_id))
exit;

after the line reads
$parent_id = $_POST['parent_id'];
$message = clean($_POST['message']);
inside index.php. This will do it.

add this in the both instances (two similar places inside index.php!)

unfortunately this doesn't work.
right after modifying the index i got spam again.
and there seems yet to be another issue with the email notification feature:
by testing the email functionality i find, that now i don't get any notifications at all!
don't know wether this is an effect of the hack...
i remember that in the last two weeks i only got very few notifications of real commenters. i nopticed most of the comments only via the "latest comments" addon.

do you have any ideas what had happened?

Edited:
actually i get no more email notifications. btw, it's not caused by your modification. i changed the index back, same behaviour: no email.

by testing the email functionality i find, that now i don't get any notifications at all!

I don't understand this statement.

btw, this is not the notification problem but this is a hijack attempt and if there was no notification you may not notice the hijack attempt.
the code I provided shoud do ti. did you add it to the both places inside index.php? what is your new weird email?

this is the text of the last weird mail.

a new comment has been made on the following image:



http://www.a-visual-notebook.at/?showimage=ahgtqoy@a-visual-notebook.at Content-Type: multipart/mixed; boundary=\"===============2075257112==\" MIME-Version: 1.0 Subject: 5490578 To: ahgtqoy@a-visual-notebook.at bcc: jrubin3546@aol.com From: ahgtqoy@a-visual-notebook.at This is a multi-part message in MIME format. --===============2075257112== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit sdfgmqdx --===============2075257112==--

the comment is:
----------------------------------------------------------------------

ahgtqoy@a-visual-notebook.at

by ahgtqoy@a-visual-notebook.at

----------------------------------------------------------------------

(email sent by pixelpost)


the sender was:

ahgtqoy@a-visual-notebook.at <ahgtqoy@a-visual-notebook.at>

now i was test-commenting some images, and there was no email notification at all.

EDITED, because i added the snippet at the wrong lines.

read my recent post that was about adding new codes. it was edited!

read my recent post that was about adding new codes. it was edited!

thank you ramin!

now it works. and thanks for your comment ;) on the latest image, now the notification did work!
as soon as there is a number in the name of the commenter, there is no email notification. i assume that this is the purpose of your code snippet?
as i have tested it with names like "tester 2", there was no notification.

Hi Raminia, I do not use popup comments either. This is what my spam looks like in my inbox: www.two-am.org/spam.jpg

Btw, do I remove the code from the first solution or do I leave it there as well?

@n0d3 you can keep the lat mod. it was ok

@okapi
That's nice to hear it works. I looks at the ID of photo from the HTML page. if it is not a numeric value it will show a blank page and exits. the hacker tries to substitute the default hidden value in the form from image id to its email address. I think it is machine that do this. it's quite silly (or very clever that I don't understand). It does not do anything bug annoying. Now if it does that, PP will stop responsing to it.

about notification for somebody with number in his/her name, it shouldn't stop notofiying.... are you sure?

btw, could you send me the raw content of the spam notification emails?

not the HTML view that you see on your email software but the message source.

Ok, droppped you a PM. Thanks for the help!

I've made a glance. no time for more investigation for now.
it seems it filles every form field blindly with its email address in hope to get something emailed to itself.


there is no such vulnerability in pp. just annoys.

Not sure if this is the same issue, but I've been getting a ton of notifications that simply say:

Hello,
A new comment has been made on your photoblog.

http://www.funktifeye.com/plog/?showimage=


The Comment is:
----------------------------------------------------------------------

by -
----------------------------------------------------------------------
Powered by Pixelpost