Email form invisibly allows spam by default

[zyphlar]

Using v1.7.42.3 -Admin v1.10.43 I discover that my site (and email server) have been sending out tons of spam without me realizing.

Problem 1: the default destination email address is something like your.email.here@example.com so without digging into settings I've been missing any contact form submissions this entire time. Also, the spam problem has persisted this entire time without me realizing.

Problem 2: the user is somehow able to customize the "To" field as well as the message content, which means they're able to send spam to strangers.

Problem 3: There are CAPTCHA settings in the Form plugin but it's not immediately obvious how to actually enable them, so my solution is to just disable the contact form and tell people to email me instead.

Problem 4: All of this is the default behavior of Grav, and in the ten minutes it took me to write this email I got 5 spam messages, so it's obvious that spammers know about this weakness and are actively exploiting it.

Return-Path: <me@example.com>
Delivered-To: me@example.com
Received: by example.com (Postfix, from userid 997)
	id 02B2F60C64; Thu, 11 Jan 2024 02:09:15 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by example.com (Postfix) with SMTP id EF4A260C60;
	Thu, 11 Jan 2024 02:09:15 +0000 (UTC)
From: me@example.com
To: me@example.com, victim@mail.example.ru
Subject: [Contact] =?utf-8?Q?=F0=9F=92=B3?= BAM 83764.62p:
 https://www.evil-website.example.co.uk/uploads/go.php?2cq0
 =?utf-8?Q?=F0=9F=92=B3?=
Message-ID: <059fa76824fc72a3f1f5643ab3e852cd@example.com>
MIME-Version: 1.0
Date: Thu, 11 Jan 2024 02:09:15 +0000
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable



   =20
                                                              =
      <div>
                                                            <=
strong>Name</strong>:
                           =20
                    =
                                                                           =
                                                                           =
  =F0=9F=92=B3 BAM 83764.62p: https://www.evil-website.example.co.uk/uploads/go.ph=
p?2cq0 =F0=9F=92=B3
                                                     =
                                                                   </div>=

                                                                        =
                                                    <div>
               =
                                             <strong>Email</strong>:
    =
                       =20
                                                =
                                                                           =
                                                 victim@mail.example.ru
       =
                                                                           =
                                      </div>
                            =
                                                                           =
                     <div>
                                              =
              <strong>Message</strong>:
                           =20
  =
                                                                           =
                                                                           =
                    fokerv
                                              =
                                                                          <=
/div>
                                                           =20

[rhukster]

First, this sounds like either a form plugin configuration issue, or a theme issue, but not an Admin issue. So first going to move this to the form plugin issue tracker.

[rhukster]

Actually this might be related to email specifically, but we'll leave it here until I know more...

So you have a Grav installation with form plugin and email plugin. That by itself does not provide a form in your site, so you must also have a page you created for a contact form. When you set that up, did you configure the form to + from? did you add any captcha configuration? I think a copy of your form YAML configuration for that contact form would be helpful to see how you have things configured.

Also a copy of your email.yaml configuration would be helpful.

[zyphlar]

Be aware I've had this install and just kept upgrading via Yunohost since at least Nov 2020 so my experience may be different from a brand new user, but that's still concerning since such users are evidently being drive-by spammed by bots 24/7.

I didn't customize the pages or themes practically at all; my custom theme just extends Twenty without changes. There aren't any particularly obvious settings inside the template stuff to configure any of these things. I tend to interact with Grav via the GUI and didn't notice that I had to configure the Form plugin to send me email instead of just magically bubbling up via the local Sendmail to the local sysadmin, since I run Nextcloud/etc on this same server I assumed it'd just work given the relative lack of configuration options. I still haven't gone through all the plugin pages to check every single option, maybe there's something hidden there.

I'm pretty sure I just took whatever was immediately obvious in the default install and tweaked some wording, I didn't create the form template and barely customized anything: there's setups here like a thankyou page after form submission that I'm not sure I'd know how to configure, googling around I see references to configuring things inside the form page itself but I see no such options in the page menus. (Apropos of nothing, I switched from my Default contact page template back to the Form contact page template for about 15 seconds and in that time a spammer managed to get an email through.)

Here's the include path beyond my shell of a theme, nothing really obvious for fixing this issue though:

• user/themes/twenty/templates/form.html.twig
• user/themes/twenty/templates/forms/form.html.twig
• user/plugins/form/templates/forms/default/form.html.twig

user/config/plugins/form.yaml

enabled: true
built_in_css: true
inline_css: true
refresh_prevention: false
client_side_validation: true
debug: false
inline_errors: false
files:
  multiple: false
  limit: 10
  destination: self@
  avoid_overwriting: false
  random_name: false
  filesize: 0
  accept:
    - 'image/*'
recaptcha:
  version: 2-checkbox
  theme: light
  site_key: null
  secret_key: null
turnstile:
  theme: light
  site_key: null
  secret_key: null
basic_captcha:
  type: characters
  chars:
    length: 6
    font: zxx-noise.ttf
    bg: '#cccccc'
    text: '#333333'
    size: 24
    start_x: 5
    start_y: 30
    box_width: 135
    box_height: 40
  math:
    min: 1
    max: 12
    operators:
      - +
      - '-'
      - '*'

user/config/plugins/email.yaml (prior to my modification inside the GUI to figure out what was wrong)

enabled: true
from: your@email.here
to: your@email.here
mailer:
  engine: mail
  smtp:
    server: localhost
    port: 25
    encryption: none
    user: ''
    password: ''
  sendmail:
    bin: '/usr/sbin/sendmail'

[zyphlar]

Ah here we go, here is my page yaml, the only bit I really customized was the subject line, wherever I got this from years ago it's mostly copy-paste:

    process:
        -
            email:
                from: '{{ config.plugins.email.from }}'
                to:
                    - '{{ config.plugins.email.from }}'
                    - '{{ form.value.email }}'
                subject: '[Website Contact] {{ form.value.name|e }}'
                body: '{% include ''forms/data.html.twig'' %}'
        -
            save:
                fileprefix: feedback-
                dateformat: Ymd-His-u
                extension: txt
                body: '{% include ''forms/data.txt.twig'' %}'
        -
            message: 'Thank you for your message! We''ll get back to you soon.'
        -
            display: thankyou

In more current examples we get this, which shows options not visible in the GUI and answers the question of how to enable CAPTCHA:

    process:
        captcha: true
        save:
            fileprefix: contact-
            dateformat: Ymd-His-u
            extension: txt
            body: "{% include 'forms/data.txt.twig' %}"
        email:
            subject: "[Site Contact Form] {{ form.value.name|e }}"
            body: "{% include 'forms/data.html.twig' %}"
        message: Thank you for getting in touch!
        display: thankyou

Seems to be more sane defaults in modern examples so maybe this is a non-issue, but I bet I'm not the only one who copy pasted some stuff and didn't realize what all needed configuring and forgot about it and let spammers go wild.

And yeah for whatever reason pasting config.plugins.email.from didn't clue me in to needing to go in and set a "from email" value in the plugin config system itself.