What happens if you go to this url

/index.php?option=com_contact&view=contact

I get a 404

sorry I pasted the wrong link
/index.php?option=com_contact&view=categories

That link will display any categories that exist on the site together with a list of contacts. I am 99% certain that you will find that you do have created contacts

I get no error and no info then, just a display of the template of the site with a blank body.

Anyway, that is not the point I would like to make. Even if a contact exists on the site: only if I make a menu item on a Joomla website, or on any other way publish anything, that should be open.
It is wrong that someone from outside, using a spambot, can use a Joomla function (here com_contact) to generate spam with a contactform that is not actively published by me on that site.
In the link that I provided above, it states that, when no contact is defined, the default emailaddress of the site is used by this misuse of Joomla.
So focus on the fact that spambots can use com_contact directly. That should not be possible.

1. If an item is published then it can be found no matter if you have a menu item pointing to it.
2. I am unable to replicate your reported issue.

In the link that I provided above, it states that, when no contact is defined, the default emailaddress of the site is used by this misuse of Joomla.

What link? I am 99% certain that it refers to something other than the contact form.

If you email me your site access details I am happy to check and see why your contact form is enabled. (Brian at teeman dot net)

I am closing this as not reproducable. If you provide the access requested above then I will take a look

Same here - Spam is send from Russian IPs to mostly russian email addresses via this sequence:

- GET /index.php?option=com_contact&view=contact&id=1
- POST /index.php?option=com_contact&view=contact&id=1
- GET /component/contact/contact/1.html HTTP/1.1
- POST /index.php?option=com_contact&view=contact&id=1

Put the site in maintenance mode but the spook goes on! Have to take the site from the net.

There are only 8 standard contacts in the contact table but nearly 10.000 self registered entries in the user table.

@ntinti can you please open a new Issue? Comments on closed Issues didn't get much Notice.

I got spam from the same entry point. Welcome in joomla. ;)

I have been seeing these comments in my apache logs
5.101.217.217 - - [30/Jun/2019:05:52:10 -0700] "GET /index.php/contacts?module_id=115&name=gagarinytja&email=&phone=YGmcLRRO&message=++%3Ca+href%3D%22https%3A%2F%2Fvefegrlipol.info%2Fbuharest-kupit-zakladku-kokain-shishki-boshki-gashish-amfetamin-geroin-mdma-ekstazi-skorost-mefedron.html%22%3E%C3%81%C3%B3%C3%B5%C3%A0%C3%B0%C3%A5%C3%B1%C3%B2%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fwedigutione.info%2Fkupit-metodon-v-sochi.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%AC%C3%A5%C3%B2%C3%AE%C3%A4%C3%AE%C3%AD+%C3%A2+%C3%91%C3%AE%C3%B7%C3%A8%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgeciponetor.com%2Fchesterfild-kupit-gashish-shishki-geroin-kokain-amfetamin-spais-skorost-kristally-mdma-mefedron.html%22%3E%C3%97%C3%A5%C3%B1%C3%B2%C3%A5%C3%B0%C3%B4%C3%A8%C3%AB%C3%A4%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fvikepokilom.info%2Fkupit-mdma-pavlovsk.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+MDMA+%C3%8F%C3%A0%C3%A2%C3%AB%C3%AE%C3%A2%C3%B1%C3%AA%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ffileritmw.info%2Fnovogireevo-zakladki-mef-fen-geroin-kokain-gashish-shishki-boshki-mdma-ekstazi-metadon.html%22%3E%C3%8D%C3%AE%C3%A2%C3%AE%C3%A3%C3%A8%C3%B0%C3%A5%C3%A5%C3%A2%C3%AE%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fhelimdegel.info%2Fzestafoni-zakladki-mef-fen-geroin-kokain-gashish-shishki-boshki-mdma-ekstazi-metadon.html%22%3E%C3%87%C3%A5%C3%B1%C3%B2%C3%A0%C3%B4%C3%AE%C3%AD%C3%A8%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgiledenibub.com%2Fsirop-s-efedrinom.html%22%3E%C3%91%C3%A8%C3%B0%C3%AE%C3%AF+%C3%B1+%C3%BD%C3%B4%C3%A5%C3%A4%C3%B0%C3%A8%C3%AD%C3%AE%C3%AC%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgehibetirok.info%2Fplohaya-devochka-lida-zdoroveinfo.html%22%3E%C3%8F%C3%AB%C3%AE%C3%B5%C3%A0%C3%BF+%C3%A4%C3%A5%C3%A2%C3%AE%C3%B7%C3%AA%C3%A0+Lida+%C2%97+%C3%87%C3%A4%C3%AE%C3%B0%C3%AE%C3%A2%C3%BC%C3%A5%C3%88%C3%AD%C3%B4%C3%AE%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fhucelienil.info%2Fzakladki-v-novodvinske.html%22%3E%C3%87%C3%A0%C3%AA%C3%AB%C3%A0%C3%A4%C3%AA%C3%A8+%C3%A2+%C3%8D%C3%AE%C3%A2%C3%AE%C3%A4%C3%A2%C3%A8%C3%AD%C3%B1%C3%AA%C3%A5%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fdotefererline.com%2Fkupit-gandzha-dmitrovsk.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%83%C3%A0%C3%AD%C3%A4%C3%A6%C3%A0+%C3%84%C3%AC%C3%A8%C3%B2%C3%B0%C3%AE%C3%A2%C3%B1%C3%AA%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgehibetirok.info%2Fkupit-mdma-zverevo.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+MDMA+%C3%87%C3%A2%C3%A5%C3%B0%C3%A5%C3%A2%C3%AE%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ffedekeinef.com%2Fkupit-zakladki-gashish-v-solnechnogorsk-30.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%A7%C3%A0%C3%AA%C3%AB%C3%A0%C3%A4%C3%AA%C3%A8+%C3%A3%C3%A0%C3%B8%C3%A8%C3%B8+%C3%A2+%C3%91%C3%AE%C3%AB%C3%AD%C3%A5%C3%B7%C3%AD%C3%AE%C3%A3%C3%AE%C3%B0%C3%B1%C3%AA-30%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fasiqwemin.info%2Ferfurt-zakladki-mef-fen-geroin-kokain-gashish-shishki-boshki-mdma-ekstazi-metadon.html%22%3E%C3%9D%C3%B0%C3%B4%C3%B3%C3%B0%C3%B2%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgeciponetor.com%2Fgalle-kupit-zakladku-skorost-kristally-shishki-geroin-kokain-mdma-gashish-amfetamin-mefedron.html%22%3E%C3%83%C3%A0%C3%AB%C3%AB%C3%A5%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fgehyfinelin.info%2Fandorra-enkamp-encamp-staff-v-nalichii-butirat-lirika-tramadol-mdma-geroin-ekstazi-kokain-mef-mefedon-fen-amfetamin-gashish-ketamin-shishki-boshki-lsd-marikhuana.html%22%3E%C3%80%C3%AD%C3%A4%C3%AE%C3%B0%C3%B0%C3%A0+%C3%9D%C3%8D%C3%8A%C3%80%C3%8C%C3%8F+-+ENCAMP%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fkinekimedin.info%2Fkupit-zakladki-amfetamin-v-novom-oskole.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%A7%C3%A0%C3%AA%C3%AB%C3%A0%C3%A4%C3%AA%C3%A8+%C3%A0%C3%AC%C3%B4%C3%A5%C3%B2%C3%A0%C3%AC%C3%A8%C3%AD+%C3%A2+%C3%8D%C3%AE%C3%A2%C3%AE%C3%AC+%C3%8E%C3%B1%C3%AA%C3%AE%C3%AB%C3%A5%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Funegimeliter.com%2Fzakladki-rossip-v-bratske.html%22%3E%C3%87%C3%A0%C3%AA%C3%AB%C3%A0%C3%A4%C3%AA%C3%A8+%C3%B0%C3%AE%C3%B1%C3%B1%C3%BB%C3%AF%C3%BC+%C3%A2+%C3%81%C3%B0%C3%A0%C3%B2%C3%B1%C3%AA%C3%A5%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ftimeponirik.info%2Fzhitkovichi-kupit-kokain.html%22%3E%C3%86%C3%A8%C3%B2%C3%AA%C3%AE%C3%A2%C3%A8%C3%B7%C3%A8+%C3%AA%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%AA%C3%AE%C3%AA%C3%A0%C3%A8%C3%AD%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fhelimdegel.info%2Fmoskva-ramenki-kupit-zakladku-skorost-kristally-shishki-geroin-kokain-mdma-gashish-amfetamin-mefedron.html%22%3E%C3%8C%C3%AE%C3%B1%C3%AA%C3%A2%C3%A0+%C3%90%C3%A0%C3%AC%C3%A5%C3%AD%C3%AA%C3%A8%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fghedefelin.info%2Ftuapse-kupit-koka.html%22%3E%C3%92%C3%B3%C3%A0%C3%AF%C3%B1%C3%A5+%C3%AA%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%8A%C3%AE%C3%AA%C3%A0%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ffedekeinef.com%2Fkak-bistro-ochistit-organizm-ot-travi-test-na-narkotiki.html%22%3E%C3%8A%C3%A0%C3%AA+%C3%A1%C3%BB%C3%B1%C3%B2%C3%B0%C3%AE+%C3%AE%C3%B7%C3%A8%C3%B1%C3%B2%C3%A8%C3%B2%C3%BC+%C3%AE%C3%B0%C3%A3%C3%A0%C3%AD%C3%A8%C3%A7%C3%AC+%C3%AE%C3%B2+%C3%B2%C3%B0%C3%A0%C3%A2%C3%BB%3A+%C3%B2%C3%A5%C3%B1%C3%B2+%C3%AD%C3%A0+%C3%AD%C3%A0%C3%B0%C3%AA%C3%AE%C3%B2%C3%A8%C3%AA%C3%A8%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ftimeponirik.info%2Fkupit-shmal-malaya-vishera.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%98%C3%AC%C3%A0%C3%AB%C3%BC+%C3%8C%C3%A0%C3%AB%C3%A0%C3%BF+%C3%82%C3%A8%C3%B8%C3%A5%C3%B0%C3%A0%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Ffelinedlik.info%2Fkupit-led-nolinsk.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%8B%C2%A8%C3%84+%C3%8D%C3%AE%C3%AB%C3%A8%C3%AD%C3%B1%C3%AA%3C%2Fa%3E%0D%0A%3Ca+href%3D%22https%3A%2F%2Fdotefererline.com%2Fkupit-skorost-verhniy-tagil.html%22%3E%C3%8A%C3%B3%C3%AF%C3%A8%C3%B2%C3%BC+%C3%91%C3%AA%C3%AE%C3%B0%C3%AE%C3%B1%C3%B2%C3%BC+%C3%82%C3%A5%C3%B0%C3%B5%C3%AD%C3%A8%C3%A9+%C3%92%C3%A0%C3%A3%C3%A8%C3%AB%3C%2Fa%3E HTTP/1.1" 200 36581 "http://kappadrugs.com/index.php/contacts" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

That is nothing to do with the core of joomla. You are using mod_tm_ajax_contact_form and should contact the makers of that module

I think I can describe how com_contact is exploied.
To reproduce, you have to have at least one contact on your site.
Then, you can go to /index.php?option=com_contact&view=categories, here you will see a "uncategorized" category, click it you will see the contact(s) of your website
Now, there is a form on the page to send contact emails. This email is meant to send to the contact, but there is an option at the bottom to also send a copy to yourself....
Probably using some automation tools, hackers can repetitively send spams to a list of email addresses by checking "send a copy to yourself"

That's expected behavior and can be configured in the backend, beside this we fixed a bug in 3.9.11 that solves a problem with com_contact.

This issue seems to be very much alive!
Joomla! 3.9.13 Stable [ Amani ] 5-November-2019 15:00 GMT
Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT

I think I can describe how com_contact is exploied.
To reproduce, you have to have at least one contact on your site.
Then, you can go to /index.php?option=com_contact&view=categories, here you will see a "uncategorized" category, click it you will see the contact(s) of your website
Now, there is a form on the page to send contact emails. This email is meant to send to the contact, but there is an option at the bottom to also send a copy to yourself....
Probably using some automation tools, hackers can repetitively send spams to a list of email addresses by checking "send a copy to yourself"

Thank you for describing how the hackers find and exploit the contacts forms. We were getting a ton of spam via the webmaster contact form which I did not realized was being accessed in this way. Our main contact form uses a captcha, but the webmaster form (which has no menu link, etc., was reachable this exact way you described. I changed it's access to REGISTERED in the back end and now the uncategorized listing displays "There are no Contacts to display" instead of listing the webmaster contact link. Thank you!! Solved my problem. :-)

@brianteeman and @HLeithner - I'd like to raise this issue once again and my thoughts about it, since this has been closed twice.

I have just encountered this issue on a site. It was a contact form that is not protected by a ReCaptcha form. Given that this is being used to send spam emails to 3rd parties via Joomla standard functionality, I do believe this is an exploit and should be fixed.

The form was exploited via accessing the following: REQUEST_URI=/index.php?option=com_contact&view=contact&id=9

If a standard component can be abused to send SPAM (not to the owner of the site via the contact form, but to 3rd parties), then this is an exploit that should be closed at Joomla level.

This is irrespective of whether you enable ReCaptcha or not - by enabling ReCaptcha, you're simply making it more difficult for bots to access the site, rather than closing this exploit.

As I understand it, if I know the URL I need to target, then the site will keep getting exploited and the only fix is to disable the Joomla contact extension and install a different contact form extension.

If that isn't an exploit, I don't know what is.

The fact that people keep posting about this here means that the issue is still out there, and most people are lucky to have a configuration that makes it a bit harder for this to get exploited.

Truth be told, I haven't been able to try and exploit this myself, I don't have enough knowledge to do so myself, I'm out of the coding loop for quite some time now, but I'm trying to do my part to the Joomla community by highlighting the issues to those who are more knowledgeable that myself :-)

The spam was sent using the contact form that the site owner published on their website.

Yes, I could understand spam getting to the site owner, but this spam is getting sent to 3rd parties. As I see it, the Joomla form component is allowing spam to be sent unchecked.

Isn't that an exploit?

Isn't that an exploit?

Not if the option "send a copy" was enabled on the contact form

As I understand it, if I know the URL I need to target, then the site will keep getting exploited and the only fix is to disable the Joomla contact extension and install a different contact form extension.

No the fix is to unpublish or delete the contact not the component

if contacts are created is the default position for click to email, "show" if so this is the bug that need to be changed. it should be disabled by default. client contends all they did was install a template.

I still think that this is going around the issue.

Or else I'm missing something. As I understand it, the Contact Form is being exploited using a specific configuration to send spam.

The only way this would not be an exploit if the owner of the site is ALSO receiving that same spam.

If this is not the case, then there is a specific configuration, where the Joomla contact component is being exploited to send spam.

basically, if a contact is created, they get an id. you can use /index.php?option=com_contact&view=contact&id=
and guess id 1,2,3,4,etc as they are created incrementally and start at 1. if they do exist and the click to send email to me is available they can insert any email and send it to whomever. automate this with bots and voila

I just confirmed that the owner was also inundated with the same spam emails, so strictly speaking this isn't an exploit.

Hi! I've hound this topic searching on the spam error.
The solution is:
Go to the Component "Contact" (com_contact) through the Components menu in admin panel. Then click Name and go to the right side -> E-mail settings -> Hide "copy" option or both if you don't need that contact form.