Contact Us page needs group permissions

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.2/Rhea followed by 3.3.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
User avatar
mrgtb
Registered User
Posts: 217
Joined: Wed Nov 28, 2007 10:09 pm

Contact Us page needs group permissions

Post by mrgtb » Mon Sep 01, 2014 2:06 pm

The "Contact Us" link you can display in forum footer. Do you not think it needs group permissions who can use it? I have it activated on my forum and quite a number of times now I've received spam emails via it from guests. Just watched a Russian spammer using it "spotted listed in who's online", seconds later email from them. I think group permissions are needed so you can rule out guests being able to use it sending you email junk from board.

I would hate to think how much it would get used by guests spammers if having a big board, going off how many spam emails I've got via it so far running a very small inactive forum with next to nothing going on. Or at least have that page so it uses anti-spam validation like forums do for guests.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 297
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Contact Us page needs group permissions

Post by Nicofuma » Mon Sep 01, 2014 2:21 pm

https://area51.phpbb.com/phpBB/viewtopi ... 41#p265941
nickvergessen wrote:
Meis2M wrote:Now I can see Contact page here in area51. It seems it's merged thanks. This system use captcha?
No, the page is linked on registration if the user is unable to solve the captcha.
Member of the phpBB Development-Team
No Support via PM

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: Contact Us page needs group permissions

Post by RMcGirr83 » Mon Sep 01, 2014 5:41 pm

So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
Louis7777
Registered User
Posts: 378
Joined: Fri Apr 04, 2014 12:32 am

Re: Contact Us page needs group permissions

Post by Louis7777 » Mon Sep 01, 2014 7:58 pm

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Your "Contact Board Administration" extension? xD

User avatar
Dragosvr92
Registered User
Posts: 624
Joined: Tue May 31, 2011 12:08 pm
Location: Romania
Contact:

Re: Contact Us page needs group permissions

Post by Dragosvr92 » Tue Sep 02, 2014 5:31 am

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
"No, the page is linked on registration if the user is unable to solve the captcha."
Im guessing the Captcha that appears to guests that try to message the admin. :?
Previous user: TheKiller
Avatar on Memberlist 1.0.3

User avatar
mrgtb
Registered User
Posts: 217
Joined: Wed Nov 28, 2007 10:09 pm

Re: Contact Us page needs group permissions

Post by mrgtb » Tue Sep 02, 2014 10:03 am

I don't get this because I use Q/A and not Captcha for registration. So anyone sending email from board using Contact us doesn't need solve any Captcha image on my forum. Whether or not that then is linked to fact I use Q/A and not Image Captcha at registration, no idea?

But reading what you're saying here is as though you mean, if you use Captcha and not Q/A at registration, then that Captcha will be used for Contact Us page also, while Q/A doesn't get used on both if using that for registration - is that correct?

Further more... what I've spotted in Google Search is that it indexes Contact Us page as it's own page to hit, so if there's no anti-spam validation used on it, or permissions to exclude guests from using it. Then you're going to get a lot of spam over time because spam bots can easy search (target) that page out listed in google across lots of phphBB sites.

If honest, I'm a little bemused why you'd even add Contact Us page and not include anti-spam validation or group permissions with it. It's asking for spam to happen sent out by spam bots, you might as well just never use the feature, don't think using a mod to (add anti-spam) validation is the answer either. It should be their on that page stock, along with groups permissons also to decide if guests can even use contact us.

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 297
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Contact Us page needs group permissions

Post by Nicofuma » Tue Sep 02, 2014 1:34 pm

I said before, one purpose of this form is to able to contact the board admin if you can't solve the captcha. So it can't be disabled for the guest and it can't be protected by a captcha.

Before the admin address email was exposed in this case so it was worse...
Member of the phpBB Development-Team
No Support via PM

User avatar
Arty
Registered User
Posts: 970
Joined: Wed Mar 06, 2002 2:36 pm
Location: Mars
Contact:

Re: Contact Us page needs group permissions

Post by Arty » Tue Sep 02, 2014 1:50 pm

RMcGirr83 wrote:So then what is to stop spam bots from posting to the contact page once 3.1 goes gold?
Absolutely nothing. I'm using other forum software that has contact form, had to modify contact form code a bit because of huge amount of spam I was getting.

Contact form will be heavily spammed. Spammers don't care if they get to send their message to 1 user or whole forum, 1 user without catpcha is better than 0 because of captcha so they will spam contact form.
Formerly known as CyberAlien.

Free phpBB styles | Premium responsive XenForo styles

Senky
Extension Customisations
Extension Customisations
Posts: 283
Joined: Thu Jul 16, 2009 4:41 pm

Re: Contact Us page needs group permissions

Post by Senky » Tue Sep 02, 2014 2:24 pm

Arty wrote:Contact form will be heavily spammed. Spammers don't care if they get to send their message to 1 user or whole forum, 1 user without catpcha is better than 0 because of captcha so they will spam contact form.
That! One solution that works for my sites is, that part of the form DOM (<form>, <input type="submit"> or the best is hidden field) is generated by JS. The best solution is to generate hidden field which makes form submission pass the php validation, or to generate action attribute of form tag by JS. I know, that this makes form unsubmittable to users with JS turned off, but I can imagine 99% webmasters be more happy with that, than inbox full of spam.

nachtelb
Registered User
Posts: 30
Joined: Sun Feb 19, 2006 1:55 pm
Location: Germany
Contact:

Re: Contact Us page needs group permissions

Post by nachtelb » Sat Nov 22, 2014 10:09 am


Post Reply