Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solution for fighting spam sign-ups? #1133

Closed
michaelbutler opened this issue Jan 4, 2023 · 2 comments
Closed

Solution for fighting spam sign-ups? #1133

michaelbutler opened this issue Jan 4, 2023 · 2 comments
Labels
question Further information is requested

Comments

@michaelbutler
Copy link

In a related software project I recently got hit with a big spam wave (3,000 spam sign ups) simply because I included the "First Name" field in the welcome e-mail. The attack works like this: the spammer writes a script to input a database of emails into your sign-up form, and in the "First Name" field it inserts whatever crap it wants. For example, First Name: Free pharmaceuticals now visit xyz.biz. Even for double-opt in, it means that 3,000 people will get emails with that bit of text in the email body. Even if the HTML is stripped out they can still abuse it.

Before activating ListMonk on my server I'd like to make sure this attack isn't possible. I can think of two solutions:

  1. Remove "First Name" or other user generated field from the very first welcome email, until the user double-opts in. This means that spammers can still abuse it, but it would be pretty worthless since it doesn't give them a bit of customization or benefit at all.
  2. (In addition to 1 probably) - add a server-to-server authorization callback pre-step before adding the user or sending out the initial opt-in email. For example, I can define an HTTPS endpoint on my own server with information about the HTTP request to approve or deny it. For example, list-monk would POST to myserver.xyz/validate with body email=XYZ&name=XYZ&ip_address=XYZ&user_agent=abc and I can implement my own IP geolocation, rate limit, spam checks as needed. I wouldn't need to modify the ListMonk code itself.

Is there an easy way to achieve this with ListMonk?
@knadh
Copy link
Owner

knadh commented Jan 5, 2023

Hi @michaelbutler.

Related: #1116

  1. You can customize all static templates with the --static-dir parameter. https://listmonk.app/docs/templating/#system-templates

  2. This is precisely what the APIs are for. You can disable listmonk's default signup form and create your own signup form that does any validation you want before POSTing the subscription to listmonk.

@knadh knadh added the question Further information is requested label Jan 5, 2023
@michaelbutler
Copy link
Author

Thank you very much for the response @knadh ! both answers will be adequate (Using the custom API with my own sign up form is more advanced for sure, but doable!) I'll close this thread now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelbutler @knadh