Allowing email forms to auto-reply to the "submitter's email is a great way (for example) for your domain reputation to be hurt by malicious spammers. How? Easy.
Spammers use this for two purposes.
- They spam you in the hopes you click a link.
- They submit under fake emails and if the "send submitter a reply" checkbox in forms is checked, it sends from YOUR domain under YOUR email links to a long list of sites.
Email desktop software clients, gmail, outlook, all, will convert links to links. For example: If I make my last name https://www.example.org then when someone receives the reply, it will give them a nice fake link to click and infect their computer.
As always, the best security is based on two things:
- Common sense. Think before you do.
- Think to yourself "How would you hack that information?"
Example: Never "play back" data the user submitted. By that we mean having a reply that includes ANY CONTENT OF ANY KIND from the submitted form. I could submit a form under the email Joe @ gmail com and make my last name "www example com" and Joe would get an acknowledgement email with a link to his example . com. See how easy that is?
Solution: DO NOT SET UP AUTO-REPLY ON A FORM.
Of course there are exceptions. You can change the email text to say "thanks for your submission" and nothing further. Or you might be using Tendenci behind a firewall. Or the form might be restricted to logged in and verified users. Those are exceptions and they are valid. Seek balance, just don't feed the s p a m m e r s.