Email spam

Phil Lilley · February 2, 2018

All of a sudden I'm getting a lot of these spam emails through the contact/forum. I've searched this forum and didn't see anything that addresses this. And I've also looked and can't find a way to block them.

Thanks

Kjell Iver Johansen · February 2, 2018

I guess you need to remove permission to this module for guests.

ACP - system - contact us

Allen Bradford · February 3, 2018

Same here. Suddenly Spam Contact emails the last week or so.

Removing the Contact Us Permission for Guests doesn't make sense to me. The Contact Us function is largely an email tool for Guests or non-Members to contact the administrator of the Board. Members can do that with Private Message.

Im also wondering if there is any Spam prevention for the Contact Us function.

schultkl · February 3, 2018

Same here. Have turned off Contact Us permission for Guests but also request CAPTCHA support so we can re-enable. Thanks.

sudo · February 4, 2018

Yeah pretty surprised there is no captcha setting to turn it on/off for contact us.

Allen Bradford · February 6, 2018

Anyone from IPS gonna chime in? I just got a vile porn contact email. If it keeps up I'll send in a non-urgent ticket I guess.

opentype · February 6, 2018

On 4.2.2018 at 1:36 AM, ZeroHour said:

Yeah pretty surprised there is no captcha setting to turn it on/off for contact us.

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form.

On 3.2.2018 at 2:07 AM, Brad Eden said:

Im also wondering if there is any Spam prevention for the Contact Us function.

It’s just an online form. If if would filter out messages automatically, people would go crazy about false positives it might not send.
The Captcha should help 99% of the time, but there cannot be a guarantee it works 100% of the time, especially since the spam might also be sent by humans. On the one site where I have the Contact form active with Captcha I received 1 spam mail within 6 months. That’s acceptable.

18 minutes ago, Brad Eden said:

Anyone from IPS gonna chime in?

Probably not, since it’s the peer to peer forum.

Allen Bradford · February 7, 2018

13 hours ago, opentype said:

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form.

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

AlexWright · February 7, 2018

1 hour ago, Brad Eden said:

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

Be advised that Google is retiring reCaptcha1. Swapping reCaptcha 2 is advisable.

https://developers.google.com/recaptcha/docs/faq

opentype · February 7, 2018

3 hours ago, Brad Eden said:

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

It’s this setting:

If that is already on, you might indeed move to a newer captcha version.

Rhett · February 7, 2018

On 2/3/2018 at 2:12 PM, schultkl said:

Same here. Have turned off Contact Us permission for Guests but also request CAPTCHA support so we can re-enable. Thanks.

On 2/3/2018 at 4:36 PM, ZeroHour said:

Yeah pretty surprised there is no captcha setting to turn it on/off for contact us.

There is, see below.

17 hours ago, Brad Eden said:

Anyone from IPS gonna chime in? I just got a vile porn contact email. If it keeps up I'll send in a non-urgent ticket I guess.

Yes, see below

16 hours ago, opentype said:

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form.

It’s just an online form. If if would filter out messages automatically, people would go crazy about false positives it might not send.
The Captcha should help 99% of the time, but there cannot be a guarantee it works 100% of the time, especially since the spam might also be sent by humans. On the one site where I have the Contact form active with Captcha I received 1 spam mail within 6 months. That’s acceptable.

Probably not, since it’s the peer to peer forum.

17 minutes ago, opentype said:

It’s this setting:

If that is already on, you might indeed move to a newer captcha version.

^ This!

We are also looking into some other ideas to help in this area.

All Astronauts · February 7, 2018

If I were to guess, it would be that one-to-many bad actors realized that IPS ships with a default CAPTCHA key/secret that many users do not swap out for their own. End result is a contact form with an exposed CAPTCHA on many, many IPS sites.

This problem will go away for most/all users by going to Google and grabbing their very own key/secret for CAPTCHA, and probably switching over to CAPTCHA2 wouldn't be a bad idea either.

EDIT: Yes, I know there are services that can crack it just by harvesting the key. But if you start out already having the same key/secret for a ton of sites...

Also, Captcha1 is dead in a few ~~months~~ weeks.: https://developers.google.com/recaptcha/docs/faq

March 31st is the end. If Captcha1 isn't removed from 4.3 it probably should be. Also, the next IPS newsletter you send out (and a blog post wouldn't be a bad idea either) to let all clients know they must switch over to ReCaptcha2 asap isn't a bad idea.

The Old Man · February 7, 2018

Started a topic on this issue without seeing this one, sorry.

I'll double check my Recapcha2 but glad to hear IPS are doing more, hopefully to tie into the anti-spam measures. Or even the question and answers facility that forms part of registration.

Allen Bradford · February 7, 2018

6 hours ago, opentype said:

It’s this setting:

If that is already on, you might indeed move to a newer captcha version.

OK I saw that and I do not have it enabled...because it says nothing about Contact emails. Also I don't allow Guests to Post anyhow. I'll enable it and see if this blocks the Contact Spam emails.

Maybe IPS should simply add: Enabling this will also force Guests to complete CAPTCHA when sending Board Contact emails.

Thanks for the input everyone.

Joel R · February 7, 2018

9 hours ago, All Astronauts said:

If I were to guess, it would be that one-to-many bad actors realized that IPS ships with a default CAPTCHA key/secret that many users do not swap out for their own. End result is a contact form with an exposed CAPTCHA on many, many IPS sites.

This problem will go away for most/all users by going to Google and grabbing their very own key/secret for CAPTCHA, and probably switching over to CAPTCHA2 wouldn't be a bad idea either.

EDIT: Yes, I know there are services that can crack it just by harvesting the key. But if you start out already having the same key/secret for a ton of sites...

Also, Captcha1 is dead in a few ~~months~~ weeks.: https://developers.google.com/recaptcha/docs/faq

March 31st is the end. If Captcha1 isn't removed from 4.3 it probably should be. Also, the next IPS newsletter you send out (and a blog post wouldn't be a bad idea either) to let all clients know they must switch over to ReCaptcha2 asap isn't a bad idea.

Nominating this for Public Service Announcement of the week.

Allen Bradford · February 7, 2018

So is it as simple as choosing reCAPTCHA2 in admincp>Spam Prevention....to avoid any issues when reCAPTCHA1 is kaput?

All Astronauts · February 7, 2018

You might need a new key pair. Unsure. They really are trivial to get. Literally a minute of your time. Add site addresses, add contact emails, done.

One site of mine was getting the spam emails via the contact us link starting... two weeks ago?

A day or two ago I took a look and decided to just get new keys and flip to ReCaptcha2. Haven't seen a spam email since (the sound of wood being knocked upon are heard in distance...).

The bigger thing right now is that Captcha1 is gone in a what? Four weeks? Word better get out fast or there are a lot of sites going to have a hell of a time if they are already spam targets and aren't on top of this.

The Old Man · February 8, 2018

Not sure when or if this was added as I don't recall seeing it before, but you can increase or decrease the security level of reCAPTCHA v2 in the Advanced Settings. Could be useful.

Allen Bradford · February 9, 2018

On 2/7/2018 at 12:23 AM, opentype said:

It’s this setting:

If that is already on, you might indeed move to a newer captcha version.

Enabled this, and it didn't work, getting more Spam Contact emails then ever. I find it hard to believe this is connected to Guests/Contact Us.

Ill switch to reCAPTCHA2 and get new keys before the deadline and see how it goes.

opentype · February 9, 2018

You don’t have to believe it. You can find out for yourself by testing it. Just log out and see what guests see. Which is was I had done before giving the answer.

Tripp★ · February 20, 2018

I have enabled this, and checked it, it's running fine, with reCAPTCHA2. But I too have found that just recently I've been receiving all sorts of spam.

Edit: I've just refreshed my keys, so I will see if that solves my issues.

Edit2: It did not.

Allen Bradford · February 21, 2018

On 2/9/2018 at 6:46 AM, opentype said:

You don’t have to believe it. You can find out for yourself by testing it. Just log out and see what guests see. Which is was I had done before giving the answer.

Took your advice. Now, I'm a believer that in fact the reCAPTCHA1 is enabled for Contact Us emails. But....it doesn't work and I am continuing to get Spam Contact Us emails from the strangest places. Time to go to reCAPTCHA2 before the deadline and see if that helps.

Aiwa · February 26, 2018

Meh, I took the more nuclear approach and disabled Guest use of the 'Contact Us' form entirely. Which means they'll have to get through my registration system first.

I've not had a single spam user register on either of my few sites going on a couple years now.

I know that's not the best solution for everyone, but it works for me.

Allen Bradford · February 28, 2018

Alrighty then. Updated with new keys for reCAPTCHA 2. Registration turned on, along with a Q&A, along with Guest ability to use Contact Us email feature. We will see how well this blocks Spam registrations and Contact Us Spam...

Allen Bradford · March 6, 2018

Oh well, just got a Spam Contact Us email for Viagra.

Five Invision Community 5 features your team will love

Five Invision Community 5 features your members will love

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Email spam

Recommended Posts

Phil Lilley

Kjell Iver Johansen

Allen Bradford

schultkl

sudo

Allen Bradford

opentype

Allen Bradford

AlexWright

opentype

Rhett

All Astronauts

The Old Man

Allen Bradford

Joel R

Allen Bradford

All Astronauts

The Old Man

Allen Bradford

opentype

Tripp★

Allen Bradford

Aiwa

Allen Bradford

Allen Bradford

Archived

Recently Browsing 0 members

More