Security is always first at Tendenci - The Open Source AMS

Allowing email forms to auto-reply to the "submitter's email is a great way (for example) for your domain reputation to be hurt by malicious spammers. How? Easy. 

Spammers use this for two purposes.
  1. They spam you in the hopes you click a link.
  2. They submit under fake emails and if the "send submitter a reply" checkbox in forms is checked, it sends from YOUR domain under YOUR email links to a long list of sites.  
Email desktop software clients, gmail, outlook, all, will convert links to links. For example: If I make my last name https://www.example.org then when someone receives the reply, it will give them a nice fake link to click and infect their computer.
 
As always, the best security is based on two things:
  1. Common sense. Think before you do.
  2. Think to yourself "How would you hack that information?"
 
Example: Never "play back" data the user submitted. By that we mean having a reply that includes ANY CONTENT OF ANY KIND from the submitted form. I could submit a form under the email Joe @ gmail com and make my last name "www example com" and Joe would get an acknowledgement email with a link to his example . com. See how easy that is?
 
Solution: DO NOT SET UP AUTO-REPLY ON A FORM.
Of course there are exceptions. You can change the email text to say "thanks for your submission" and nothing further. Or you might be using Tendenci behind a firewall. Or the form might be restricted to logged in and verified users. Those are exceptions and they are valid. Seek balance, just don't feed the s p a m m e r s. 
 

 

Contact us to upgrade to Tendenci

The open source solution chosen by associations around the world.

Want to talk? (281) 497-6567

Sign up for Tendenci - The Open Source AMS

No per user pricing. Unlimited admins.

Demo Now

Have Questions?

Contact us!

Site Search