Today after 4 or 5 years running PGV, I received my first request for an account email from a spammer. Presumably after receiving the auto-generated reply from my site, the spammer could now write a script to automate this process and effectively send spam which would appear to come from my PGV email account. If it can be done from the Request User account email link, then I presume it can be done from the email link at the bottom of each page.
I will shortly be closing down my PGV site so this will not worry me in the future. This post is simply to raise this issue and bring it to everyones attention.
What version of PGV are you running?
I had one two weeks ago and one two days ago. But not from the registration, but rather the site contact and it appears they simply filled out the form to send an email and then included within the field some spam-like suggestions. I don't remember for PGV, but webtrees no longer allows off-site URLS so you can't be given any spamming URLs within the email.
G\'day Gerry and Stephen,
My PGV version is 4.2.4. I have not upgraded to the latest as I have been investigating Webtrees.
And mentioning Webtrees, it is pleasing to note that this vulnerability is already covered in Webtrees. But to add braces to the belt, I am currently testing a small change to the Webtrees code to include Captcha for all email forms. This seems to be working but I need to test it a bit more.
Thanks to you both for your long and continued help with PGV. I have to say that I am reluctant to change. But I recently was given a new server. Having two totally separate servers created an opportunity to test other programs, including Webtrees. By the way, I have not noticed any increase in performance moving from PGV to Webtrees on my 40,000+ INDI DB. But I am running out of memory on occasions with both of them.
Can you explain "off-site URL" in the context of Webtrees?
It's easy enough to sanitize e-mails sent through PGV's messaging facility to eliminate all embedded HTML, and that should get rid of some vulnerabilities. However, if the site contact is a "mailto" link, clicking on the Site Contact link at the bottom of any page will launch the user's e-mail client. All bets are off in this case, since PGV and the PGV server are no longer involved.
By the way:
Have you noticed the latest improvement in hacker handling in PGV? We now have a timed block of the IP address when PGV logs a hacking attempt. The "Hackers are not welcome" message triggers a 1-hour block of the IP address. That's cut down the hack attempts a LOT on my site. The 1-hour time-out is hard coded at the moment. I see no need to make this configurable.
It's a simple variation of "block by IP", with automatic cleanup and the ability for the site admin to manually set his own expiry date & time for specific IP addresses.
One way the spamming problem could be handled is to not allow anonymous users to send e-mails directly. Instead, they would have to send an internal message to the site contact. PGV could then send an automatic e-mail to the site contact to tell him/her that an internal message has been posted.
This is, of course, not implemented, but the internal message system is already in place and a configuration option, but without the automatic notification.
Yes, sanitized for html other than links to your originating PGV site. Unfortunately, this makes it difficult to provide examples when writing someone and creates a need establish direct email communication to accomplish that objective. And I do not allow direct email links as that is asking for autobot problems. I use the already emails and internal messages configuration.
Currently, I don't find the frequency or content to be troublesome, certainly not nearing to any degree the deluge of junk that my several Wordpress sites are presented with, so I wouldn't spend much time on this unless it becomes more prevalent or invasive.