-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email form invisibly allows spam by default #592
Comments
First, this sounds like either a form plugin configuration issue, or a theme issue, but not an Admin issue. So first going to move this to the form plugin issue tracker. |
Actually this might be related to email specifically, but we'll leave it here until I know more... So you have a Grav installation with form plugin and email plugin. That by itself does not provide a form in your site, so you must also have a page you created for a contact form. When you set that up, did you configure the form to + from? did you add any captcha configuration? I think a copy of your form YAML configuration for that contact form would be helpful to see how you have things configured. Also a copy of your email.yaml configuration would be helpful. |
Be aware I've had this install and just kept upgrading via Yunohost since at least Nov 2020 so my experience may be different from a brand new user, but that's still concerning since such users are evidently being drive-by spammed by bots 24/7. I didn't customize the pages or themes practically at all; my custom theme just extends Twenty without changes. There aren't any particularly obvious settings inside the template stuff to configure any of these things. I tend to interact with Grav via the GUI and didn't notice that I had to configure the Form plugin to send me email instead of just magically bubbling up via the local Sendmail to the local sysadmin, since I run Nextcloud/etc on this same server I assumed it'd just work given the relative lack of configuration options. I still haven't gone through all the plugin pages to check every single option, maybe there's something hidden there. I'm pretty sure I just took whatever was immediately obvious in the default install and tweaked some wording, I didn't create the form template and barely customized anything: there's setups here like a thankyou page after form submission that I'm not sure I'd know how to configure, googling around I see references to configuring things inside the form page itself but I see no such options in the page menus. (Apropos of nothing, I switched from my Default contact page template back to the Form contact page template for about 15 seconds and in that time a spammer managed to get an email through.) Here's the include path beyond my shell of a theme, nothing really obvious for fixing this issue though:
user/config/plugins/form.yaml
user/config/plugins/email.yaml (prior to my modification inside the GUI to figure out what was wrong)
|
Ah here we go, here is my page yaml, the only bit I really customized was the subject line, wherever I got this from years ago it's mostly copy-paste:
In more current examples we get this, which shows options not visible in the GUI and answers the question of how to enable CAPTCHA:
Seems to be more sane defaults in modern examples so maybe this is a non-issue, but I bet I'm not the only one who copy pasted some stuff and didn't realize what all needed configuring and forgot about it and let spammers go wild. And yeah for whatever reason pasting |
Using v1.7.42.3 -Admin v1.10.43 I discover that my site (and email server) have been sending out tons of spam without me realizing.
Problem 1: the default destination email address is something like [email protected] so without digging into settings I've been missing any contact form submissions this entire time. Also, the spam problem has persisted this entire time without me realizing.
Problem 2: the user is somehow able to customize the "To" field as well as the message content, which means they're able to send spam to strangers.
Problem 3: There are CAPTCHA settings in the Form plugin but it's not immediately obvious how to actually enable them, so my solution is to just disable the contact form and tell people to email me instead.
Problem 4: All of this is the default behavior of Grav, and in the ten minutes it took me to write this email I got 5 spam messages, so it's obvious that spammers know about this weakness and are actively exploiting it.
The text was updated successfully, but these errors were encountered: