Security is always first at Tendenci - The Open Source AMS
Allowing email forms to auto-reply to the "submitter's email is a great way (for example) for your domain reputation to be hurt by malicious spammers. How? Easy.
Spammers use this for two purposes.
- They spam you in the hopes you click a link.
- They submit under fake emails and if the "send submitter a reply" checkbox in forms is checked, it sends from YOUR domain under YOUR email links to a long list of sites.
Email desktop software clients, Gmail, outlook, all, will convert links to links. For example: If I make my last name https://www.example.org then when someone receives the reply, it will give them a nice fake link to click and infect their computer.
As always, the best security is based on two things:
- Common sense. Think before you do.
- Think to yourself "How would you hack that information?"
Example: Never "playback" data the user submitted. By that, we mean having a reply that includes ANY CONTENT OF ANY KIND from the submitted form. I could submit a form under the email Joe @ gmail com and make my last name "www example com" and Joe would get an acknowledgment email with a link to his example . com. See how easy that is?
Of course, there are exceptions. You can change the email text to say "thanks for your submission" and nothing further. Or you might be using Tendenci behind a firewall. Or the form might be restricted to logged-in and verified users. Those are exceptions and they are valid. Seek balance, just don't feed the s p a m m e r s.
Check out this help-file and explore FOSS alternative Forum Software for your Tendenci website and let us help you take your Tendenci Forums to the next level!
Did this answer your question? If not, please contact our support team for more information.