Project

General

Profile

Enhancement #654

Kontaktformularer sårbare ift. spamangreb

Added by Kasper Garnæs over 5 years ago. Updated almost 3 years ago.

Status:
Resolved (tag version)
Priority:
High
Assignee:
-
Estimated time:
URL med eksempel:
Kategorier:
Administration - Systemkonfiguration

Description

Kontaktformularer fx. https://gladsaxe.ddbcms.dk/contact giver anonyme brugere mulighed for at sende emails til biblioteket.

I Drupalkernen vil adgang til sådanne formularer kræve at brugerne er logget ind af frygt for spamangreb (se https://github.com/ding2/ding_user/pull/6#discussion_r19133811). I DDB CMS er der taget en bevidst beslutning om at formularerne skal kunne bruges af anonyme brugere, men DDB CMS tilbyder ingen form for beskyttelse imod den sårbarhed, dette medfører.

For at løse dette bør DDB CMS tilbyde spambeskyttelse. Se https://www.drupal.org/module-categories/spam-prevention.


Related issues

Related to DDB CMS - Bug #984: Mailformular kan i sin kvitteringsmail skabe unødig tvivl/usikkerhed hos brugerenOpen (waiting)
Related to DDB CMS - Feature #434: Webforms 4xResolved (tag version)
Precedes DDB CMS - Enhancement #2867: Kontaktformularer sårbare ift. spamangrebClosed

History

#1 Updated by Rolf Madsen over 5 years ago

  • Status changed from New to Open (waiting)
  • Target version set to 27

#2 Updated by Gitte Barlach over 5 years ago

Kontaktformularen: man kan sende en kopi til sig selv; derved åbner vi op for at evt. robotter kan misbruge ved at man indsætter forskellige mail adresse og derved bruger formularen som spam proxy.

#3 Updated by Rolf Madsen over 5 years ago

  • Target version changed from 27 to DDB CMS 2015 1. opgradering

#4 Updated by per johansen over 5 years ago

  • Status changed from Open (waiting) to Need more info
  • Assignee set to Rolf Madsen

Hvad med den gode gamle captcha - vil det ikke være tilstrækkeligt? Såvidt jeg kan gennemskue skyder spam-stoppere over målet

#5 Updated by Kasper Garnæs over 5 years ago

CAPTCHA'er er bedre end ingenting ift. at beskytte imod spam.

I mine øjne er CAPTCHA'er dog et løst problem (https://www.google.dk/webhp?q=solve%20captcha#q=solve+captcha). Derudover er de besværlige for normale mennesker.

Jeg antager at en spam proxy, der kan afsende emails til vilkårlige personer fra en godkendt afsender står i relativt høj kurs og vil skade bibliotekets image.

Det jeg godt kan lide ved Mollom et at. er det også ser på indholdet og generer normale mennesker så lidt som muligt.

#6 Updated by Rolf Madsen over 5 years ago

  • Target version changed from DDB CMS 2015 1. opgradering to DDB CMS 2015 2. opgradering

#7 Updated by Gitte Barlach over 5 years ago

  • Status changed from Need more info to Open (waiting)

#8 Updated by Rolf Madsen over 5 years ago

  • Target version changed from DDB CMS 2015 2. opgradering to DDB CMS 2015 3. opgradering

#9 Updated by Rolf Madsen over 5 years ago

  • Priority changed from Normal to High

#10 Updated by Rolf Madsen over 5 years ago

  • Assignee changed from Rolf Madsen to Kasper Garnæs

Kan dette problem løses ved at implementere Webforms modulet?

http://platform.dandigbib.org/issues/434

#11 Updated by Rolf Madsen over 5 years ago

  • Related to Bug #984: Mailformular kan i sin kvitteringsmail skabe unødig tvivl/usikkerhed hos brugeren added

#12 Updated by Kasper Garnæs about 5 years ago

  • Assignee changed from Kasper Garnæs to Rolf Madsen

@Rolf: Webforms indeholder beskyttelse der fx. giver kun tillader hver bruger at indsende hver formular et afgrænset antal gange - fx. 10.

Jeg ser flere problemer herved:

- Webforms beskyttelse er baseret på IP eller Cookies. Begge dele er lette at omgå.

- Ved kontaktformularer er det urealistisk at afgrænse hver bruger til at bruge formularen et afgrænset antal gange.
- En webforms baseret løsning vil kræve at alle kontaktformularer skal omkodes til at bruge webforms.

Derfor mener jeg ikke det er en realistisk løsning på problematikken.

#13 Updated by Rolf Madsen about 5 years ago

  • Target version changed from DDB CMS 2015 3. opgradering to DDB CMS 2015 4. opgradering

#15 Updated by Rolf Madsen almost 5 years ago

  • Assignee deleted (Rolf Madsen)

#16 Updated by Rolf Madsen almost 5 years ago

  • Target version changed from DDB CMS 2015 4. opgradering to 36

#17 Updated by Rolf Madsen almost 5 years ago

#18 Updated by Rolf Madsen almost 5 years ago

#19 Updated by Rolf Madsen almost 5 years ago

#20 Updated by Martin Cording almost 5 years ago

I'm gonna start by expressing my personal assessment, which is that this problem is not particularly extensive.
I base my judgment on our own clients, and they have not experienced SPAM with their solutions over the years.

Wether this is the same case for you or not, DBC should be able to tell you if there has been support inquiries about this or whether their SMTP has been exploited for this purpose.

That said, I think it should certainly be taken seriously and prioritized.

We have previously clarified that there is a possibility to limit the requests to logged-in users, since non-logged-in users will not have a "digital" form of contacting their library to request new PIN or the like.

Therefore our suggestion is to change this contact form to Webforms, so it can still be used by all users (whether they are logged in or not), but make sure that it can not be exploited by sending emails to user-defined addresses.

If it's required that the user should be able to send himself a copy, we suggest to implement CAPTCHA (even though this case states that it is not an ideal solution).

There is other methods than CAPTCHA and Webforms to solve this issue. But due to the, to our knowledge, insignificant extend, not our proposal.
We can dig into other options, which can be complicated to implement or requires subscriptions upon request.

Please be aware that as of now, there is already a limitation set to define how many times per hour the same user can use the contact form (the library can change the settings themselves).

#21 Updated by Gitte Barlach almost 5 years ago

  • Status changed from Open (waiting) to Need more info
  • Assignee set to Rolf Madsen

#22 Updated by Rolf Madsen almost 5 years ago

Der har, så vidt jeg ved, ikke været tegn på SPAM angreb på DDB CMS, men jeg har bedt DBC om at bekræfte det.

Forudsat at DBC bekræfter det er der OK til at vi følger anbefalingen fra Martin.

#23 Updated by Rolf Madsen over 4 years ago

Vi følger anbefalingen:
"change this contact form to Webforms, so it can still be used by all users (whether they are logged in or not), but make sure that it can not be exploited by sending emails to user-defined addresses."

#24 Updated by Rolf Madsen over 4 years ago

  • Target version changed from 36 to 39

#25 Updated by Rolf Madsen over 4 years ago

  • Assignee changed from Rolf Madsen to Martin Cording

#26 Updated by Martin Cording over 4 years ago

  • Tracker changed from Bug to Enhancement

#27 Updated by Martin Cording over 4 years ago

  • Assignee changed from Martin Cording to Kasper Garnæs

Since our debate within this case, we have had good experience with https://www.drupal.org/project/honeypot.

Kasper, can you give your input on this?

#28 Updated by Kasper Garnæs over 4 years ago

  • Assignee changed from Kasper Garnæs to Rolf Madsen

Jeg ved at Københavns kommune også har gode erfaringer med Honeypot. I mine øjne giver det ikke samme niveau af beskyttelse som Mollom - til gengæld er det et system som kan tages i brug på alle DDB CMS biblioteker uden at der skal oprettes konti per site etc. Det har også værdi.

I forhold til at mitigere spamproblematikken som dette issue handler om vil det at tilføje Honeypot modulet og konfigurere det til at beskytte kontaktformularerne være et godt 1. step.

Jeg mener at vi bør behandle Webforms for sig. Webforms kan være nyttigt for DDB CMS, men det løser i mine øjne ikke det grundlæggende problem hvor en formular, hvor anonyme besøgende kan indtaste en vilkårlig afsenderadresse og formularen er konfigureret til at sende en kvittering til denne afsenderadresse, kan bruges til spam.

Hvis vi i en anden sammenhæng vælger at benytte Webforms vil Honeypot også kunne bruges til at beskytte disse.

#29 Updated by Rolf Madsen over 4 years ago

  • Assignee changed from Rolf Madsen to Martin Cording

Det lyder som om der er enighed om at Honeypot er en god løsning, baseret på jeres erfaringer, så lad os tilføje modulet!

#30 Updated by Martin Cording over 4 years ago

  • Status changed from Need more info to Ready for development

#31 Updated by Martin Cording over 4 years ago

  • Status changed from Ready for development to Needs code review
  • Assignee deleted (Martin Cording)

#32 Updated by Gitte Barlach over 4 years ago

  • Assignee set to Kasper Garnæs

#33 Updated by Kasper Garnæs over 4 years ago

  • Status changed from Needs code review to Reviewed

Reviewed og godkendt.

#34 Updated by Kasper Garnæs over 4 years ago

  • Assignee changed from Kasper Garnæs to Gitte Barlach

#35 Updated by Rolf Madsen over 4 years ago

  • Target version changed from 39 to DDB CMS 2016 1. opgradering

#36 Updated by Kasper Garnæs over 4 years ago

  • Status changed from Reviewed to Technical test

Merged.

#37 Updated by Nino Tiainen over 4 years ago

Testet og godkendt på vanilla og upgrade. Har udelukkende konstateret at Honeypot er med i udrulningen.

#38 Updated by Nino Tiainen over 4 years ago

  • Assignee changed from Gitte Barlach to Nino Tiainen

#39 Updated by Gitte Barlach over 4 years ago

  • Status changed from Technical test to Resolved (tag version)

#40 Updated by Nino Tiainen about 4 years ago

  • Assignee changed from Nino Tiainen to Gitte Barlach
  • Kategorier Administration - Systemkonfiguration added

#41 Updated by Anonymous almost 3 years ago

Taastrup Bibliotek har lige haft et voldsomt spamangreb, hvor vi modtog kinesiske mails via kontaktsiden hvert 5. minut. DBC har blokeret afsender adresserne, så det er stoppet nu, men vi er stadig sårbare og jeg spekulerer på, hvornår næste angreb kommer. Er I sikre på, at problemet er løst?

#42 Updated by Rolf Madsen almost 3 years ago

  • Description updated (diff)
  • Assignee changed from Gitte Barlach to Anonymous

Benytter I den indbyggede kontaktformular eller Webforms modulet?

#43 Updated by Bodil Sørensen almost 3 years ago

I Struer har vi også haft rigtig mange på det sidste. DBC har ikke rigtigt kunne hjælpe os: "Det lader desværre til at det er skiftende IP'er, så det vil ikke hjælpe synderligt at jeg lægger blokeringer ind for jeres site."

Spamangrebene kommer via kontaktformularen.

 

#44 Updated by Rolf Madsen almost 3 years ago

Also available in: Atom PDF