Jump to content

Email spam


Phil Lilley

Recommended Posts

Same here. Suddenly Spam Contact emails the last week or so.

Removing the Contact Us Permission for Guests doesn't make sense to me. The Contact Us function is largely an email tool for Guests or non-Members to contact the administrator of the Board. Members can do that with Private Message.

Im also wondering if there is any Spam prevention for the Contact Us function.

Link to comment
Share on other sites

On 4.2.2018 at 1:36 AM, ZeroHour said:

Yeah pretty surprised there is no captcha setting to turn it on/off for contact us.

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form. 

 

On 3.2.2018 at 2:07 AM, Brad Eden said:

Im also wondering if there is any Spam prevention for the Contact Us function.

It’s just an online form. If if would filter out messages automatically, people would go crazy about false positives it might not send. 
The Captcha should help 99% of the time, but there cannot be a guarantee it works 100% of the time, especially since the spam might also be sent by humans. On the one site where I have the Contact form active with Captcha I received 1 spam mail within 6 months. That’s acceptable.  

 

18 minutes ago, Brad Eden said:

Anyone from IPS gonna chime in? 

Probably not, since it’s the peer to peer forum. 

Link to comment
Share on other sites

13 hours ago, opentype said:

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form.

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

Link to comment
Share on other sites

1 hour ago, Brad Eden said:

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

Be advised that Google is retiring reCaptcha1. Swapping reCaptcha 2 is advisable.

https://developers.google.com/recaptcha/docs/faq

Link to comment
Share on other sites

3 hours ago, Brad Eden said:

OK...then...In Admincp>Spam Prevention I have reCAPTCHA1 chosen. This is set to avoid Spam Member Registrations and works pretty well. I see no mention that this also prevents Contact Spam email (Im still getting them, not a lot but suddenly some). Am I missing another Captcha function somewhere that is related to Contact email?

It’s this setting:

5a7a8d140629b_Bildschirmfoto2018-02-04um09_59_12.thumb.png.62502c415897e3ffcd6e2e833eea0662.png

If that is already on, you might indeed move to a newer captcha version. 

Link to comment
Share on other sites

On 2/3/2018 at 2:12 PM, schultkl said:

Same here. Have turned off Contact Us permission for Guests but also request CAPTCHA support so we can re-enable. Thanks.

 

On 2/3/2018 at 4:36 PM, ZeroHour said:

Yeah pretty surprised there is no captcha setting to turn it on/off for contact us.

There is, see below.

17 hours ago, Brad Eden said:

Anyone from IPS gonna chime in? I just got a vile porn contact email. If it keeps up I'll send in a non-urgent ticket I guess.

Yes, see below

16 hours ago, opentype said:

The Captcha settings is global for all guest content. If it is activated, it also acts on the Contact Us form. 

 

It’s just an online form. If if would filter out messages automatically, people would go crazy about false positives it might not send. 
The Captcha should help 99% of the time, but there cannot be a guarantee it works 100% of the time, especially since the spam might also be sent by humans. On the one site where I have the Contact form active with Captcha I received 1 spam mail within 6 months. That’s acceptable.  

 

Probably not, since it’s the peer to peer forum. 

 

17 minutes ago, opentype said:

It’s this setting:

5a7a8d140629b_Bildschirmfoto2018-02-04um09_59_12.thumb.png.62502c415897e3ffcd6e2e833eea0662.png

If that is already on, you might indeed move to a newer captcha version. 

^ This!  

We are also looking into some other ideas to help in this area. 

Link to comment
Share on other sites

If I were to guess, it would be that one-to-many bad actors realized that IPS ships with a default CAPTCHA key/secret that many users do not swap out for their own. End result is a contact form with an exposed CAPTCHA on many, many IPS sites.

This problem will go away for most/all users by going to Google and grabbing their very own key/secret for CAPTCHA, and probably switching over to CAPTCHA2 wouldn't be a bad idea either.

EDIT: Yes, I know there are services that can crack it just by harvesting the key. But if you start out already having the same key/secret for a ton of sites...

Also, Captcha1 is dead in a few months weeks.: https://developers.google.com/recaptcha/docs/faq

March 31st is the end. If Captcha1 isn't removed from 4.3 it probably should be. Also, the next IPS newsletter you send out (and a blog post wouldn't be a bad idea either) to let all clients know they must switch over to ReCaptcha2 asap isn't a bad idea.

Edited by All Astronauts
Link to comment
Share on other sites

6 hours ago, opentype said:

It’s this setting:

5a7a8d140629b_Bildschirmfoto2018-02-04um09_59_12.thumb.png.62502c415897e3ffcd6e2e833eea0662.png

If that is already on, you might indeed move to a newer captcha version. 

OK I saw that and I do not have it enabled...because it says nothing about Contact emails. Also I don't allow Guests to Post anyhow. I'll enable it and see if this blocks the Contact Spam emails.

Maybe IPS should simply add: Enabling this will also force Guests to complete CAPTCHA when sending Board Contact emails.

Thanks for the input everyone.

Link to comment
Share on other sites

9 hours ago, All Astronauts said:

If I were to guess, it would be that one-to-many bad actors realized that IPS ships with a default CAPTCHA key/secret that many users do not swap out for their own. End result is a contact form with an exposed CAPTCHA on many, many IPS sites.

This problem will go away for most/all users by going to Google and grabbing their very own key/secret for CAPTCHA, and probably switching over to CAPTCHA2 wouldn't be a bad idea either.

EDIT: Yes, I know there are services that can crack it just by harvesting the key. But if you start out already having the same key/secret for a ton of sites...

Also, Captcha1 is dead in a few months weeks.: https://developers.google.com/recaptcha/docs/faq

March 31st is the end. If Captcha1 isn't removed from 4.3 it probably should be. Also, the next IPS newsletter you send out (and a blog post wouldn't be a bad idea either) to let all clients know they must switch over to ReCaptcha2 asap isn't a bad idea.

Nominating this for Public Service Announcement of the week.  

Link to comment
Share on other sites

You might need a new key pair. Unsure. They really are trivial to get. Literally a minute of your time. Add site addresses, add contact emails, done.

One site of mine was getting the spam emails via the contact us link starting... two weeks ago?

A day or two ago I took a look and decided to just get new keys and flip to ReCaptcha2. Haven't seen a spam email since (the sound of wood being knocked upon are heard in distance...).

The bigger thing right now is that Captcha1 is gone in a what? Four weeks? Word better get out fast or there are a lot of sites going to have a hell of a time if they are already spam targets and aren't on top of this.

Link to comment
Share on other sites

On 2/7/2018 at 12:23 AM, opentype said:

It’s this setting:

5a7a8d140629b_Bildschirmfoto2018-02-04um09_59_12.thumb.png.62502c415897e3ffcd6e2e833eea0662.png

If that is already on, you might indeed move to a newer captcha version. 

Enabled this, and it didn't work, getting more Spam Contact emails then ever. I find it hard to believe this is connected to Guests/Contact Us.

Ill switch to reCAPTCHA2 and get new keys before the deadline and see how it goes.

Link to comment
Share on other sites

  • 2 weeks later...

I have enabled this, and checked it, it's running fine, with reCAPTCHA2. But I too have found that just recently I've been receiving all sorts of spam. 

Edit: I've just refreshed my keys, so I will see if that solves my issues.

Edit2: It did not.

Edited by Tripp★
Link to comment
Share on other sites

On 2/9/2018 at 6:46 AM, opentype said:

You don’t have to believe it. You can find out for yourself by testing it. Just log out and see what guests see. Which is was I had done before giving the answer.

Took your advice. Now, I'm a believer that in fact the reCAPTCHA1 is enabled for Contact Us emails. But....it doesn't work and I am continuing to get Spam Contact Us emails from the strangest places. Time to go to reCAPTCHA2 before the deadline and see if that helps.

Edited by Brad Eden
Link to comment
Share on other sites

Meh, I took the more nuclear approach and disabled Guest use of the 'Contact Us' form entirely.  Which means they'll have to get through my registration system first.

I've not had a single spam user register on either of my few sites going on a couple years now. 

I know that's not the best solution for everyone, but it works for me. :)

Edited by Aiwa
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...