Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-17088

Contact page needs spambot countermeasures and should be disabled by default

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 3.3.9
    • None

      I get requests a few times a year from clients trying to fix spam issues. For a recent client, the point of entry was the contact page which was enabled. This sent a ton of spam to the email address associated with the contact page. Emails reached a local GoDaddy inbox with an autoresponder to the sender. This got PHP's integration with the email server disabled by GoDaddy (which never told the client, resulting with me spending hours on the phone with GoDaddy technical support trying to get outgoing emails going again so notifications could go out) because it appeared to GoDaddy that they were sending spam because the TO email addresses were from know spammer email addresses.

      Since all phpBB can do is hand off emails to an email server and there is little in the way of a handshake between the systems, the only way to know this is a problem is to look in phpBB's error log (there's no notification that lets admins know of these errors, so they tend to get ignored) or notice the problem and investigate. Investigating and fixing these email systems is technically challenging and beyond the skill set of many a board administrator.

      I would like to see this better addressed. Suggest:

      • Disable the contact page by default during installation
      • On the ACP contact page, clearly warn that enabling the contact page may be used by spammers to send administrators spam emails
      • Enable an optional CAPTCHA on the form, the board's default spambot countermeasure would be a good choice. Since some spam solutions like reCaptcha and GD Image have been hacked, a Q&A one should I think be the recommendation.

      I think this is almost a security issue. It certainly can cause issues that can be largely prevented if some or all of these suggestions were implemented.

            Unassigned Unassigned
            MarkDHamill MarkDHamill
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: