Clean up link spam on your site

Spammers have targeted Plone sites recently by posting content that will redirect you to a different site. Here's how to protect your site — and how to clean up if you have already been hit by this.

Overview of the problem

Well-known spammers have started targeting Plone sites lately, utilizing them for link redirection. While not a security problem as such, it is obviously not something we want people to do to the Plone sites out there.

The way the spammers approach your site usually goes like this:

  1. They set up a script that creates lots of fake users on your site.
  2. They upload HTML documents to the site, masquerading as the user portraits or files in the site. These pages are simple Javascript redirection pages that sends the user to a different web site.
  3. They then post link spam on other, unrelated sites, pointing to your site's portal_memberdata structure.
  4. If people follow these links, they are sent to the spammers site instead.

Questions and answers

Is this a security hole?
No. This is somebody logging in to your site (if you allow them to create their own users) and adding content that can redirect people to a different web site. Your server, site and content security is not compromised in any way. It's just a slightly more sophisticated version of comment spam. If you open up your site to untrusted users, there will always be a certain risk that people add content that is not approved. It's annoying, but it's not a security hole.
Does it affect my site?
The most common sites that are subject of this spamming are community sites that allow unverified users to register. If you are using Plone for your company/organization web site, and don't allow users to register themselves, you are not affected by this. If you are running Plone 2.1.3 or earlier, or Plone 2.5 and allow people to register themselves — you may be at risk, and you should upgrade. If you run Plone 2.1.4, Plone 2.5.1 or any later release, you are protected. In any case, we recommend upgrading and following the instructions below to see if you are affected.
Will people searching my site see the drug/porn/casino spam content?
If they are using your site search box, no. Plone does not index these documents (since they are not defined as content), so they will not show up in site searches. What can happen, however, is if your site has a very high Page Rank at Google, people can get search results if they search for any of the specific casino/porn/drug search words from the search engine itself. The link will then point at your site — and if clicked, the user gets redirected before seeing any of the content from your site. In other words, the spammers are using your site's search engine ranking to get traffic to their site from people searching for drugs/porn/casino keywords, and people don't see your actual site before they are sent somewhere else.
Have you fixed the problem?
Yes. We have made sure that uploaded portraits are verified as images. We have made sure that any content of the type "File" is not rendered in-line (thus disabling the possibility to create redirection documents from your site. These two changes protect you against future spam on your site, and stops the existing redirection tricks from working. By following the instructions below, you will be also be able to remove existing bad users from your site, which will cause any links that were in a search engine to be removed on its next visit to the site.
I see you have fixes for Plone 2.1.x and Plone 2.5.x. What can I do if I'm running an unsupported, older version like Plone 2.0.x?
There is an unofficial backport of the security fixes available, but it requires that PIL is already installed on the server. Plone 2.0.x did not ship with PIL, so you have to make sure that it is installed on your server's Python install for this to work.
If you are running Plone 2.0, please upgrade. You are using a release that is 18-24 months old, and has officially been unsupported for quite some time. There are unfortunately no resources to support more than two major versions at a time - the current policy of two major releases gives you a community support period of over 12 months for each release. If you need support or maintenance contracts beyond this, you should contact one of the many Plone companies for assistance.

Instructions

Here's how to check if you have been hit by the spammers, and remove the bogus content if it exists:

  1. Upgrade to at least Plone 2.1.4 or Plone 2.5.1.
  2. Make sure the server is restarted, so you run the latest version.
  3. Go to Site Setup and check that the version string at the bottom says 2.1.4 or 2.5.1. Also check that it says that PIL is successfully installed. This is very important, the clean-up script and the blocking of future spam attempts relies on PIL being installed properly.
  4. Click the Zope Management Interface link.
  5. Locate the link portal_membership (not portal_memberdata).
  6. Click the Portraits tab.
  7. Click the Remove Bad Portraits button. This will search through the user portraits and look for content that is not an image, and remove it.
  8. If there were any bad user portraits found, you will now get a list of the users that had their portrait removed, with an option to delete their user accounts. Only do this if you are sure that they are not legitimate users.
  9. You have now removed the bad user portraits (and optionally the user accounts), and you are also protected against this happening in the future.