Contact Us page needs group permissions

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
mrgtb
Registered User
Posts: 221
Joined: Wed Nov 28, 2007 10:09 pm

Contact Us page needs group permissions

Post by mrgtb »

The "Contact Us" link you can display in forum footer. Do you not think it needs group permissions who can use it? I have it activated on my forum and quite a number of times now I've received spam emails via it from guests. Just watched a Russian spammer using it "spotted listed in who's online", seconds later email from them. I think group permissions are needed so you can rule out guests being able to use it sending you email junk from board.

I would hate to think how much it would get used by guests spammers if having a big board, going off how many spam emails I've got via it so far running a very small inactive forum with next to nothing going on. Or at least have that page so it uses anti-spam validation like forums do for guests.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 299
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Contact Us page needs group permissions

Post by Nicofuma »

https://area51.phpbb.com/phpBB/viewtopi ... 41#p265941
nickvergessen wrote:
Meis2M wrote:Now I can see Contact page here in area51. It seems it's merged thanks. This system use captcha?
No, the page is linked on registration if the user is unable to solve the captcha.
Member of the phpBB Development-Team
No Support via PM

User avatar
RMcGirr83
Registered User
Posts: 360
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: Contact Us page needs group permissions

Post by RMcGirr83 »

So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Contact Us page needs group permissions

Post by Louis7777 »

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Your "Contact Board Administration" extension? xD

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Contact Us page needs group permissions

Post by Dragosvr92 »

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
"No, the page is linked on registration if the user is unable to solve the captcha."
Im guessing the Captcha that appears to guests that try to message the admin. :?
Previous user: TheKiller
Avatar on Memberlist 1.0.3

mrgtb
Registered User
Posts: 221
Joined: Wed Nov 28, 2007 10:09 pm

Re: Contact Us page needs group permissions

Post by mrgtb »

I don't get this because I use Q/A and not Captcha for registration. So anyone sending email from board using Contact us doesn't need solve any Captcha image on my forum. Whether or not that then is linked to fact I use Q/A and not Image Captcha at registration, no idea?

But reading what you're saying here is as though you mean, if you use Captcha and not Q/A at registration, then that Captcha will be used for Contact Us page also, while Q/A doesn't get used on both if using that for registration - is that correct?

Further more... what I've spotted in Google Search is that it indexes Contact Us page as it's own page to hit, so if there's no anti-spam validation used on it, or permissions to exclude guests from using it. Then you're going to get a lot of spam over time because spam bots can easy search (target) that page out listed in google across lots of phphBB sites.

If honest, I'm a little bemused why you'd even add Contact Us page and not include anti-spam validation or group permissions with it. It's asking for spam to happen sent out by spam bots, you might as well just never use the feature, don't think using a mod to (add anti-spam) validation is the answer either. It should be their on that page stock, along with groups permissons also to decide if guests can even use contact us.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 299
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Contact Us page needs group permissions

Post by Nicofuma »

I said before, one purpose of this form is to able to contact the board admin if you can't solve the captcha. So it can't be disabled for the guest and it can't be protected by a captcha.

Before the admin address email was exposed in this case so it was worse...
Member of the phpBB Development-Team
No Support via PM

User avatar
Arty
Former Team Member
Posts: 985
Joined: Wed Mar 06, 2002 2:36 pm
Location: Mars
Contact:

Re: Contact Us page needs group permissions

Post by Arty »

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Absolutely nothing. I'm using other forum software that has contact form, had to modify contact form code a bit because of huge amount of spam I was getting.

Contact form will be heavily spammed. Spammers don't care if they get to send their message to 1 user or whole forum, 1 user without catpcha is better than 0 because of captcha so they will spam contact form.

Senky
Extension Customisations
Extension Customisations
Posts: 315
Joined: Thu Jul 16, 2009 4:41 pm

Re: Contact Us page needs group permissions

Post by Senky »

Arty wrote:Contact form will be heavily spammed. Spammers don't care if they get to send their message to 1 user or whole forum, 1 user without catpcha is better than 0 because of captcha so they will spam contact form.
That! One solution that works for my sites is, that part of the form DOM (<form>, <input type="submit"> or the best is hidden field) is generated by JS. The best solution is to generate hidden field which makes form submission pass the php validation, or to generate action attribute of form tag by JS. I know, that this makes form unsubmittable to users with JS turned off, but I can imagine 99% webmasters be more happy with that, than inbox full of spam.

nachtelb
Registered User
Posts: 30
Joined: Sun Feb 19, 2006 1:55 pm
Location: Germany
Contact:

Re: Contact Us page needs group permissions

Post by nachtelb »


Post Reply