Mautic Community Forums

Don't create anonymous contacts on Mautic system pages

Your software
My Mautic version is: 3.3.2
My PHP version is: 7.4.3

Your problem
Right after installing Mautic, anonymous contacts started to appear. I’m new to Mautic so it took me some time to understand why this happens. The concept is clear to me now; Mautic tracks as many contacts as possible from your website and these can be “upgraded” when more info (like name, email, etc) is captured. Great concept!

However, I fail to understand why Mautic also creates anonymous contacts from (bot) visitors on 404 pages from the Mautic installation itself. I have not added any tracking info to these pages (they’re system generated anyway). My Mautic installation is running on a subdomain which is used for administrative purposes only, so I never want to track any visitor on this domain.

Is it possible to set this up somehow, or to disable the tracking from Mautic 404 pages? I did find some similar issues Bots are creating anonymous contacts in my AWS hosted mautic instance and Ghost contact IDs - #5 by biz-rolodex but the first doesn’t offer any solutions. The second suggests to install a manually patched version of Mautic, but that’s something I don’t want to prevent any future upgrade issues.

Or am I just complaining about a non-issue, and should I find a way to learn to live with (thousands of) unused anonymous contacts?

Did you ever find a solution to this? Just wondering if its a security issue - I have hundred of anonymous contacts being created every day from all over the world. And I only stood up the EC2 instance of mautic a few days ago with a domain that is not located anywhere on the internet.

Unfortunately I’ve never found a solution to this issue. I don’t think it’s a real security issue, it’s just a visible result of the fact that there will always be bots scanning your server. Normally you won’t notice as it generates a 404 and that’s it, but because Mautic creates contacts for all these hits, it’s suddenly visible.

Your comment (a domain not located anywhere) triggered a thought though. You might want to look at your Apache virtualhost config and see where traffic without ServerName is routed to. In my case Apache falls back to the first available virtualhost config which, unsurprisingly, is my Mautic installation. Thus, all bot traffic scanning on IP addresses gets directed to Mautic.

I added a “catch all” config to just drop all this traffic; let’s see if this has any effect:

<VirtualHost *:80>
    ServerName catchall
    <Location />
        Order allow,deny
        Deny from all
    </Location>
</VirtualHost>

And if you do this, don’t forget to do the same for port 443.

Interesting. Thank you for responding and also providing a solution (or at least a work-around). What you described must be the issue as Mautic is the only thing I’m running on that server. I’ll give it a go, also.

You’re welcome. This tweak seems to work well for me, the amount of anonymous contacts has dropped significantly since implementing it a few days ago :slight_smile:

Hey @zoefff - if you’ve got a minute, where do you actually put that virtualhost code? In an existing .conf file? I have a few under apache2 and added your code block as a second virtualhost at the top of the ssl one (000-default-le-ssl.conf), and restarted apache but it broke the server. Just deleted it to get it back, but clearly thats not the correct spot!

Or do you to create a separate site in apache? I’m googling, but haven’t found this answer in some apache forums.

Thanks, again.

It’s up to you what you want to do; either add additional config to an existing file or create a separate config for every vhost. I would do the latter to keep things organized.

The issue is probably something different. My code fragment should work on port 80, but it’s an incomplete configuration for port 443. You can find the minimum required directives for a SSL configuration in the Apache documentation. There’s usually some sort of default configuration you can use or copy, on my (Ubuntu) server it’s called default-ssl.conf.

1 Like