I am flooded with hundreds of spam inscriptions per week. I am using a Drupal form to send newsletter optins to phplist, but the normal form is publicly available and even doesn’t need the “&id=1” to be accessible. I tried to change the word “subscribe” in the form link, but it doesn’t work. Also disabling the list checkboxes through Javascript (document.querySelectorAll(“li.list input”)[0].disabled = true;) does not prevent inscriptions. What can I do else?
Have you considered adding the Captcha plugin?
Yes, but I thought then I cannot send data from my Drupal form anymore?
1 Like
@0711master You would need to manually add the Captcha html (as included by the plugin in the subscribe page) to your Drupal form.
See my comment to a similar question https://github.com/phpList/phplist3/issues/337#issuecomment-393109705
1 Like
Thank you, I checked the link in your post. Unfortunately the plugin requires adding custom PHP which is only possible in Drupal through adding another plugin. This is not recommended for security reasons. Also why should I add an extra spam protection if the one in Drupal is already sufficient? It is the phpList form that is vulnerable, so for future releases maybe some of these points could be considered:
- Possibility to rename the VerificationCodeX field. I think this is the main reason why spam is possible, because everybody knows how to bypass the protection
- Possibility to rename subscribe form URL
- Possibility to change subscribe form ID
What are you referring to here by “the plugin”? Do you mean a Drupal plugin, not the phplist CAPTCHA plugin? The CAPTCHA plugin doesn’t require changes to php code.
Sorry, I was referring to Securimage (https://www.phpcaptcha.org/documentation/quickstart-guide/)
Alternatively, you can use Webform phpList Drupal module. Webform comes with several reliable options to fight bots. The module needs at least Drupal 8. Disclosure and invitation for feedback: I am the maintainer.
Ah, cool, that’s new!
I finally tested your plugin, but unfortunately there is no confirmation mail sent…
The default, double opt-in, will attempt to send an email using Drupal’s default MailManager. If you have not set up anything, it will use what is configured in PHP, usually the host’s sendmail. In other words, it doesn’t use the phpList configuration directly. I’ll add that to the documentation.
A popular choice for sending mails from within Drupal is the “SMTP Authentication Support” module.
Ok, there must have been an issue with sendmail. Now with the smtp module it’s working, but there are still two issues:
- the email to confirm the registration is showing all available lists and not only the one I want to subscribe to
- the end of the body is cut off, so there is no imprint anymore, which is strange because it is in the same field as the rest of the email text…
Thank you for your feedback! I have opened an issue (#3549341) and will attempt to reproduce the problems you described.
Ok, forget the second point with the imprint, I just realised I have to slightly different confirmation messages in the main configuration and the subscribe page options.
The first of your two issues is now also solved, in the module version 1.1.1: [LISTS] now gets filled correctly with just the lists the user has subscribed to.
1 Like