Rotosey connection send me a copy. Electronic correspondence. Five ways to convince the court to accept it as evidence. Why is a contract not enough?
Not long ago I came across a working method that allows an attacker to send spam on behalf of your site using a form feedback Joomla (contact form). This feature is not a vulnerability and is unlikely to be fixed. In this article I will talk about how this became possible and what you need to do to protect your website.
Standard feedback formJoomla
Joomla has a fairly powerful and flexible component called " Contacts" This is standard Joomla component. It is on every site, because... installed with the CMS. This component allows you to create and display contact categories, contacts, and feedback forms on the website that allow you to contact a particular contact. A contact is, conditionally, a user - a person from the site.
I once wrote an article about how you can create a feedback form on your website using standard Joomla tools. This instruction is still relevant today. It allows you to create a completely usable feedback form without installing third-party extensions. Sending spam is possible when this particular form is used, as well as under the simultaneous combination of certain circumstances, which will be discussed below.
Sending spam on behalf of the site using the feedback formJoomla
You will be surprised how simple the discovered method of sending spam on behalf of a site is. For this to be possible, the feedback form should look something like this:
Those. two conditions must be met:
- The form is not protected from spam bots (reCaptcha or any other form protection method is not enabled)
- In the contact settings, the option “Send a copy of the letter to the sender” is activated. Thanks to it, a corresponding checkbox appears in the contact form (see the figure above).
If at least one of these conditions is not met, there will be no problems. If both conditions are met, then, as they say, watch your hands:
- Spam bot finds contact form. There is no anti-spam protection - you can use it.
- The spam bot determines that the site is on Joomla and that a standard contact form is used. Surprisingly, there are bots that can do this perfectly.
- The spam bot sees the presence of a checkbox for sending a copy of the letter to the sender.
- Spam bot substitutes in the field Email address from your own spam mailing list, the message field is filled with spam. It doesn't matter how the other fields are filled in.
- The spambot sends the form and repeats the process many times, substituting more and more addresses from its own database in the Email field.
What happens as a result? Joomla thinks that the form was filled out by a person who provided their real address and wants to contact a contact from the site. Since the box to send a copy of the letter is checked, two people receive letters from the site: the person whose address is associated with the contact, and the person whose address is entered in the Email field.
Thus, substituting in the field Email different addresses, you can send thousands of messages on behalf of your site. Yes, perhaps the contact will see this, quickly understand what is going on, and close the loophole, but there is a very high probability that this will not happen.
The consequences of such an attack for the site and business can be extremely unpleasant, especially when a lot of money has already been invested in promoting the site. If spam is sent from your domain address, I think there is no need to explain what the reaction of its recipients will be.
How to protect against this vulnerability?
How to protect against this vulnerability? Elementary. Make sure that one of the conditions described above is not satisfied, namely.
When the question arises of sending a telegram via Russian Post, many remember the queues as in Soviet times. But with the development of the computer industry and its introduction into the postal sector, it became possible to send a telegram by Russian Post to online mode, without queues and unnecessary nerves. Now there is no need to adapt to the operating mode post office, and waste time. There is shipping and payment in a convenient way for you. A telegram is a text message transmitted via telephone.
To send a telegram, you now need any device such as a smartphone or tablet with Internet access. Or Personal Computer connected to the Internet. You can send from anywhere and at any time convenient for you.
To send, you need to go to the post office website, register and find the section with the form for sending a telegram, fill out all the fields. We indicate all the data on the recipient and sender, then enter the text of the letter, then proceed to selecting the payment method. So, sending a telegram via Russian Post over the Internet is as easy as shelling pears.
After finishing writing the text, the program automatically reads the number of words and, based on this, generates the cost of the telegram. You can pay for the service by transfer Money from your phone, WebMoney or Yandex.Money. If the need arises, you can receive copies of the telegram, as well as notifications.
Many, having learned that there is such a method of sending, remember their failures and the wasted time and nerves.
The question arises, if everything is so easy and simple, how much does it cost to send a telegram via Russian Post?
Tariffs for sending a telegram vary widely, it all depends on the type of telegram being sent:
- The price of sending a regular, non-urgent telegram via Russian Post per word is 2.8 rubles, and for an urgent one - 4.10 rubles. for one word;
- Tariffs for the provision of telegrams are: in the case of regular and non-urgent 13 rubles. per word, urgent - 22 rubles;
- For telegrams of other types, such as outside the category, extraordinary, they are paid for regular non-urgent in the amount of 85 rubles. per word;
- Tariffs for telegrams, delivery of which is carried out to places of residence where there is no telegraph and telephone communication, as well as with the “custom” mark, is 40 rubles. for one word;
- The cost of notification of delivery of telegrams by telegraph, for ordinary non-urgent ones, is 189 rubles. per word, urgent 231 rub. per word;
- When registering, as well as re-registering the telegram delivery address, the subscriber pays 1,500 rubles. in a year.;
- The price of telegrams with assurance is 281 rubles;
- As for copies of telegrams that are issued upon application, their price is 84 rubles. for 100 words;
- Telegrams written in Russian and Latin script are paid in the amount of 20 rubles. per word.
Telecom operators can block services to subscribers who do not confirm their personal data. Previously, there were no regulations according to which subscribers and operators exchanged requests and documents. Now there are rules that explain everything - they will start working on November 4, 2017.
And although it is now clear from the papers how to confirm identity, in practice this is either difficult or not yet possible.
Why can operators block subscribers?
They have this right under the communications law. This rule worked before: operators could block subscribers whose data in the contract did not match the actual data. There were only no rules according to which operators should request these confirmations, and subscribers should send them.
Officially, the subscriber has 15 days to confirm his data after the request.
What requests are we talking about? Who is interested in the personal data of subscribers?
So far the law deals with requests from operational and law enforcement agencies. They make requests to operators for some of their own purposes. Like, let the subscriber confirm that he is the same Ivan Ivanovich Ivanov for whom the SIM card is issued.
No one knows in advance to whom such a request will be sent and for what reason. This does not mean that the subscriber is a criminal or terrorist. The operator is obliged to respond to such a request, request data from the subscriber and transmit a response.
From June 1, 2018, Roskomnadzor will also be able to send such requests to telecom operators. If the department wants to identify real owner website or the author of a post on a social network, it will do this through the mobile operator.
Why is an agreement not enough?
Even if the contract contains subscriber data, the actual owner of the SIM card may be someone else. The operator will want to know who is actually calling or sending messages from this number.
And if the contract has not been concluded, but the SIM card is active, you will have to inform who is using it. This is possible if you use an anonymous SIM card that you bought from the metro or in a shopping center.
Does this only apply to mobile communications?
No, landline too. They can also disable home phone. Another check concerns the services of Internet providers. If the subscriber does not confirm the personal data in the contract, he will be left without the Internet, email and instant messengers.
How will subscribers receive a request from the operator?
First, the operator himself will receive the request. He has three days to request personal information from you.
Here are the ways you can do this:
- by SMS;
- through automatic calling;
- By e-mail, if the operator has an address;
- V personal account.
The operator will send a request and wait for documents from the subscriber.
How to confirm personal data?
You need to send the operator a copy of your identity document. Moreover, this should be done not as you want, but according to the rules. Otherwise, the answer will not be counted and the connection will be disconnected.
Here's how to verify your identity.
Directly from the operator. Any communication shop will not work. Where you can submit documents, you need to check with the operator. You will need the original and personal presence.
Through your personal account on the operator’s website. The document must be certified with an enhanced qualified electronic signature. This signature still needs to be obtained in advance - it is paid.
Through government services, if you have an account there. It is not yet clear how operators will receive this document. They have not yet been integrated into common system and cannot see documents that subscribers send through government services. Probably this issue will be resolved somehow. Until they decide, the method will not work.
And if you don’t send anything, what will happen then? I don't want to confirm anything.
If a request comes, you will have to confirm your identity. This is the obligation of the subscriber according to the rules in the new edition. And this must be done exactly in the ways described in the rules, and not in any way you like. This is also a responsibility.
The operator's request will indicate the shutdown period. Three days before this date you will be reminded again. Then they will block access to communication services.
My SIM card is registered to a relative. Can I send a copy of his passport in response to the request?
No. The essence of the request is for the subscriber to confirm that the contract is drawn up in the name of the person using the services. He must confirm his identity himself. A copy of the passport of your mother, ex-husband or unknown person from the Internet will not solve the problem. You cannot send someone else’s document to the operator and certify it with your signature.
All data must match: in the contract, documents, personal account, electronic signature. If something does not match, you need to re-register the contract to the actual owner.
What if I don't receive a request or can't respond on time? You never know if I’m going on vacation or if I don’t have an electronic signature.
There is nothing in the rules about this. Most likely, the operator will wait as long as he can by law. And then he will block the services to avoid problems.
But this doesn’t mean that everyone will be required to confirm their personal data?
Nobody knows who, when and why they will demand it. Better prepare.
I have a corporate rate. Can't they transfer my data?
Soon they will be able to. On June 1, 2018, an amendment to the communications law in this regard will come into force. If the subscriber is a legal entity or individual entrepreneur, and the SIM cards are registered to employees, their personal data can be transferred without consent.
What should you do now to respond to your request on time and not be left without communication?
Check who the SIM card is registered to, the agreement with the provider and the home phone number. Get your documents in order.
Register for government services. Sooner or later, telecom operators will connect to them and the system will work.
Follow notifications from the operator so you don't miss a request.
Fraudsters can take advantage of this situation to get a copy of your passport or to deceive you in some other way. Keep track of what requests you respond to and where you send documents.
- If you are not yet registered on our website, register. When registering, we ask you to provide accurate information about yourself.
- Log in to the site and go to the section.
- Fill out all the required fields in the sending form, select Institution, enter the text of your letter and click the “Send” button.
The text of the letter must be in Russian.
Simultaneously with sending a letter, you can order delivery of a response to it; to do this, in the form for sending a letter, check the “Order a response” checkbox. Read below about the response delivery procedure.
In addition, you can send a blank letter (without text) for free, ordering only delivery of the response.
The total cost of the letter is immediately shown in the sending form next to the “Send” button.
After your letter is accepted, it is assigned a number. You can see the numbers of letters you sent, their status and other information in the section of our website. In case of contacting contact center When asking about the delivery of a letter, it is advisable to give its number.
If at the time of sending the letter there are funds in your account sufficient to pay for it, the cost of the letter is immediately debited from your account, the letter is accepted and receives the status "New", and within the next working day it is delivered to the Institution specified by you.
If there are insufficient funds in the account, the letter is also accepted, but is not delivered to the Institution, but receives the status "Waiting for payment". In this case, you need to top up your account with an amount sufficient to pay for your letter within 7 calendar days after it was sent.
After your payment is credited to your account, the fee for the letter awaiting payment is automatically debited and the letter is delivered to the Institution. If you have more than one letter awaiting payment, payment for them is charged in the order in which these letters were sent.
While your letter is awaiting payment, you can cancel its delivery; this can be done in the section of our website.
If within 7 days after receiving the letter your account has not received funds sufficient to pay for it, delivery of the letter is canceled automatically.
After delivery to the Institution, the letter is processed in the following order:
- Checking the letter by the censor.
After delivery to the Institution, the letter is submitted to the censor for verification and receives the status "Hired". If the censor prohibits delivery, the status of the letter changes to "Blocked"
Note: The institution censors letters in accordance with the legislation of the Russian Federation, Art. 91 of the Penal Code of the Russian Federation, section XII of the Rules of Penitentiary Institutions. - Delivery of a letter to the addressee.
If the letter successfully passes the censor's check, it is handed over to the addressee against signature. The delivery label with the addressee's signature confirming delivery of the letter is scanned (entered into the computer) and appears on our website. You can see delivery labels for your letters in the section.
The letter is usually delivered within three, but no later than five working days from the date of payment for the letter (weekends and holidays are not taken into account).
After delivery of the letter, if you have not ordered a response, the status of the letter changes to "Delivered", and the processing of the letter is completed.
If you ordered a response, along with your letter the addressee is given the number of response sheets you ordered, and the status of the letter changes to "The reply is in process".
Sometimes it happens that the recipient refuses to write a response. In this case, the status of the letter will be "Refusal to answer". - Delivery of a response to a letter.
Some time after receiving the answer sheets, your addressee hands over the answer he wrote to an employee of the Institution.
This reply letter is also censored. If the censor does not allow delivery of the response, the status of your letter changes to "Reply blocked", and message processing stops.
If the censor checks successfully, the written answer is scanned (entered into the computer) and appears on our website, where you can read it at any time. The status of such a letter will be "Reply delivered".