Support

 Hi,

We had several problems lately on some of our customers websites with spam emails sent through sharing forms. In one case we found where the problem was but in another one we could not.

We then thought about activating the CSRF spam form protection on all websites in order to protect all forms globally but as stated in your doc we need to add exclusions on website that have paypal payments (through RsForm in most cases). I contacted RsForm support in order to have them help me figure out which is the best way to exclude their component but they don't want to answer as they consider it does not concern their extension.

I thus came back here and while browsing the tickets saw that you consider the CSRF form protection as deprecated and plan to eventually remove it. So my questions are :

- Do you really think this function is useless and we should not use it ?

- If not can you help us figure out how we could exclude RsForm paypal integration without having to run too many tests on a live website ?

- If useless, do you know another way to give forms extra protection globally.

And by the way another question that is not related to forms : how long do you think admintools and akeeba backup versions will support php 5.5 ? One of the hosting companies we are working with still does not have 5.6 and we are affraid to get in trouble because of that.

Thanks in advance for your help.

App 'n' Web - Helene Kobel

Thanks for your answer,

Nice to see that I have some time ahead for the php upgrade as it does not depend from me but from the hosting company.

As for the form problem, I forgot to add that of course the captcha was existing and enabled on the form so it seems that it was submited avoiding the captcha even if we do not know how. We actually disabled completely this sharing function on the concerned website and no more mails are being sent but this problem could happen with other forms or extension parts, that's why we are looking for another protection for the forms that would be used in addition to the captcha and could maybe block those actions.

The second website also has captcha and we did not even find how the emails were sent.

This is of course the reason why I was asking if you really consider this CSRF form protection deprecated and plan to remove it because in that case, it's no use for me to loose time trying to get RsForm Paypal integration to work correctly with it.

I had almost the same problem with another feature you removed just after I activated it on all our websites because we had been attacked on one so I prefer to ask before :)

Hi,

It was an exotic captcha provided by the extension. We are actually trying to implement Google's one everywhere but it seems we do not run fast enough.

An interesting question for me is : What if it was not a bot ?

Do you think a human could use the form (meaning no problem for him to complete the captcha) to send thousends of spam emails eventhough there is only four email fields ?

I start to think maybe that's what happened.

Anyway, thanks for your answers and have a nice day.