Mautic Community Forums

Spambots abuse Mautic Forms

This post is more a warning to the community and also to gather ideas how to avoid spam abuse of forms.

Your software
My Mautic version is: 4.1.1
My PHP version is: 8.0
My Database type and version is: MariaDB 10.4

Your problem
My problem is:
One of our client had over 400.000 signups over night by a spambot and they used all of his email quota to send spam messages.

There seems to be a spam trend at the moment!
Spammers are looking for the placeholders in optin forms and then fill in their message into i.e. firstname and lastname. Thanks to GDPR everybody sends then an automated confirmation message.
And the personalisation within this message is abused to show a CTA and a link instead of the name of the recipient (which didn’t even signup).

Steps I have tried to fix the problem:
We inserted a honeypot into the forms.

I made a video to describe the problem and how to build a honeypot (as described in the mautic documentation): This is how spambots can sign into your double optin & how to stop them - mautic tutorial - YouTube

Hello Alex, Maybe use Capcha?

1 Like

We just discussed the topic in length in the DACH (DE/AT/CH) Meetup, recording is in #germany on Slack.
Bottom lines:

  • It’s a real problem (for Mautic as well as the rest of the world)

  • It’s a tough problem

  • “personalisation within this message” → needs to be sanitized!

  • For that reason we should offer a solution in Mautic (e.g. a new form field type “Text without Link”, or at least a regex-based validation for “Text” fields). Ideally this would be a regular JS-based validation PLUS a server side removal of malicious things (Idea: This could be a form action! And in any case, it would have to run first, prior to e.g. “send email to contact”)

  • If a submission fails due to validation, or if the entry is thrown entirely away server-side: fine!

  • Else, Form Spam would still be bad, because it not only gives a bad impression for the recipients, but some will flag the Spam and that will destroy your rating at the email providers

  • Thus the Captchas etc.:

  • Honeypots or simple math tasks don’t help with serious attack tools (e.g. XRumer)

  • Google ReCaptcha works pretty well (v3 is even user friendly) BUT it is not an option where GDPR has to be honored

  • FriendlyCaptcha can cost money and is not 100% as good, but may well be good enough. And is GDPR compliant

  • In Mautic, we should offer an easy way to use either solution with a form

  • Other means include low-level thiings like IP-based denial of entire countries, fail2ban, … (only where applicable, of course)


@ekke , @joeyk Super interesting thoughts. I saw that it was the topic of the last DACH Meeting. Didn’t had time to attend :frowning:
Anyway. I think I am going to look into one solution after the other.
I thought already that it won’t be too difficult for a serious spammer to figure out the honeypot…