I rent several VPSs (from Strasmore’s ssdnodes.com) and I’ve always been impressed with the performance they provide for the price. I have one VPS that hosts my two personal websites and email, and for historical reasons it also relays email for one client’s Joomla!-based website. This past Friday I woke up to email alerts that those websites were unreachable. I soon discovered that the entire server was unreachable. I could ssh in via the host’s emergency console back channel, but there was no route from the server to the public internet. I opened a support ticket asking my VPS host to look into it.

Four and a half hours later, a staff member replied and told me they had received abuse reports of spam originating from my server so they blocked port 25 (though they actually blocked all traffic to/from my server). This was helpful and I quickly found the origin of the spam. I appreciate how promptly they respond to abuse complaints, but the way they handled it (taking my entire server offline instead of simply blocking outgoing port 25 and being rather slow to respond to my support requests) made the whole thing more painful than necessary.

The spam was coming from a contact form on a client’s website which allowed users to request a copy of the message, so spam bots were taking advantage of that to send spam (some short Chinese language message) to arbitrary email addresses.

The first thing I did was configure the webserver to return 404 for the page containing the contact form which stopped the emails. I then collected 77 unique IP addresses which continued hammering the form URL and DROP’d them at the firewall level. That seems to be the extent of the spammer’s botnet, because it completely stopped the attack. I then went about trying to configure Joomla!'s contact module to prevent it from being abused. I first disabled the option to send a confirmation email, which would at least prevent the form from being used to send backscatter spam to arbitrary addresses.

But then I decided my client would still probably receive lots of spam from the form and it would be better to disable it entirely. Unfortunately that was impossible to do in Joomla! until the very recent version 3.8.12 (!) (this was disclosed as CVE-2018-17859). Before 3.8.12 the contact module didn’t check whether any forms were visible, it would still process any requests to send email to contacts; it was fixed in 27ca70a0 by checking if the show_email_form option is set.

Anyway, my client’s site is stuck on an ancient version of Joomla! so I decided to hide the form and remove smtp access from the server so I don’t have to worry about any mail originating from that server.

I never received an explanation from the VPS provider about why my server was completely disconnected, but after politely asking for an update, after 13 hours from my first ticket (when my website had been down for around 17 hours), I got a response saying a tech is looking into it. After 18 hours they restored my server, except for outgoing port 25 (with a “Thank you for your patience”). I assured them that I had identified and removed the source of the spam and asked about having port 25 re-opened. In the mean time I also set up another smtp relay on a different VPS so I could continue sending email (this server runs my personal email).

About 26 hours after my initial ticket I had full internet access restored to my server. That was frustrating.