back to phpList.org

Never-ending spam subscriptions via integration


#1

I am flooded with hundreds of spam inscriptions per week. I am using a Drupal form to send newsletter optins to phplist, but the normal form is publicly available and even doesn’t need the “&id=1” to be accessible. I tried to change the word “subscribe” in the form link, but it doesn’t work. Also disabling the list checkboxes through Javascript (document.querySelectorAll(“li.list input”)[0].disabled = true;) does not prevent inscriptions. What can I do else?


#2

Have you considered adding the Captcha plugin?


#3

Yes, but I thought then I cannot send data from my Drupal form anymore?


#4

@0711master You would need to manually add the Captcha html (as included by the plugin in the subscribe page) to your Drupal form.

See my comment to a similar question https://github.com/phpList/phplist3/issues/337#issuecomment-393109705


#5

Thank you, I checked the link in your post. Unfortunately the plugin requires adding custom PHP which is only possible in Drupal through adding another plugin. This is not recommended for security reasons. Also why should I add an extra spam protection if the one in Drupal is already sufficient? It is the phpList form that is vulnerable, so for future releases maybe some of these points could be considered:

  • Possibility to rename the VerificationCodeX field. I think this is the main reason why spam is possible, because everybody knows how to bypass the protection
  • Possibility to rename subscribe form URL
  • Possibility to change subscribe form ID

#6

What are you referring to here by “the plugin”? Do you mean a Drupal plugin, not the phplist CAPTCHA plugin? The CAPTCHA plugin doesn’t require changes to php code.


#7

Sorry, I was referring to Securimage (https://www.phpcaptcha.org/documentation/quickstart-guide/)