Your software
My Mautic version is: 3.3.3
My PHP version is: 7.4.3
My Database type and version is: MySQL 8
Your problem
My problem is:
I have a brand new install and fresh database. Within a day of the setup I started noticing new contacts being added as if the system was hacked. Tracing back through the Apache access logs I can see external IP addresses hitting all sorts of various endpoints. Each time one hits a page that doesn’t exist it does show the 404 page AND returns the 404 status code, but a new contact gets created anyway. It appears that even GooleImageProxy is creating new contacts.
This setup is known only to me and no tracking has been installed on any site.
Is this a known issue? Is there a way to restrict these incoming by hostname? or just turn off lead creation unless it’s created via the pixel? Interested in your thoughts.
This is the expected behavior - bots create traffic and that is indeed taken is a new contact with every URL they try (since obviously they do not do cookies).
Would be great if Mautic would ignore them if they go 404, but that is not the case as of today. Definitely a feature request.
However, the same applies to crawlers of all sorts, except that they don’t have the 404.
In other words: Good practice is to create a simple clean-up campaign like “delete all contacts with just one click in 24 hours, and with no email address present”)
That should help you get rid of the junk.
That’s really unfortunate. It seems like it’s almost inviting an attack that aims to fill up Mautic with a ton of requests and crap data, IMO.
I’m personally not really worried about having the anonymous contacts around, but I think it over inflates reporting and adds unnecessary load to the application and database. I guess you could make the case that’s it’s negligible, but it’s worth mentioning.
From a product standpoint, it seems that the focus should be on designated “areas” of Mautic that allow those anonymous contacts to be created like Landing Pages, pages with the Tracking Pixel, etc. It would seem to me that external traffic trying to access the actual Mautic instance should only be whichever people or teams trying to use Mautic. I say all that with the caveat that I’m still relatively new to Mautic, so there is probably some area that I’m not aware of yet.
