We just discussed the topic in length in the DACH (DE/AT/CH) Meetup, recording is in #germany on Slack.
Bottom lines:
-
It’s a real problem (for Mautic as well as the rest of the world)
-
It’s a tough problem
-
“personalisation within this message” → needs to be sanitized!
-
For that reason we should offer a solution in Mautic (e.g. a new form field type “Text without Link”, or at least a regex-based validation for “Text” fields). Ideally this would be a regular JS-based validation PLUS a server side removal of malicious things (Idea: This could be a form action! And in any case, it would have to run first, prior to e.g. “send email to contact”)
-
If a submission fails due to validation, or if the entry is thrown entirely away server-side: fine!
-
Else, Form Spam would still be bad, because it not only gives a bad impression for the recipients, but some will flag the Spam and that will destroy your rating at the email providers
-
Thus the Captchas etc.:
-
Honeypots or simple math tasks don’t help with serious attack tools (e.g. XRumer)
-
Google ReCaptcha works pretty well (v3 is even user friendly) BUT it is not an option where GDPR has to be honored
-
FriendlyCaptcha can cost money and is not 100% as good, but may well be good enough. And is GDPR compliant
-
In Mautic, we should offer an easy way to use either solution with a form
-
Other means include low-level thiings like IP-based denial of entire countries, fail2ban, … (only where applicable, of course)