Security questions regards to a RW site


(Marc) #1

Security questions regards to a RW site.

I have been getting spam email from an address which I use as the contact email for my RW site. I have change this now three times (to make sure I find the source of where the emails are being sent to because I have the same email used on another service)
So now I have one email address that is only used on my contact page and after changing I get a spam email within the hour. I contacted my ISP earlier today and they didn’t really offer much only saying for me to change passwords etc etc the usual basic stuff.

Question is how can I make may site more secure so (whoever is currently accessing my email address in my contact page) can’t continue to do this?


(Jan Fuellemann) #2

Are you using Stacks on your pages?


(Marc) #3

Yes quite a few throughout the site, why could that be an issue?


(Jan Fuellemann) #4

Then you could use a stack like https://www.doobox.co.uk/stacks_store/demos/obscureemail.html if you are using plain e-mail addresses. And/or if you use contact forms, use this one: https://www.doobox.co.uk/stacks_store/demos/htmlcontact.html

I do not enter any e-mail address in the general setting in Rapidweaver. But if you do so, check this box - Protect E-Mail Address - as well:


(Marc) #5

Where is this in RW is it a new feature in RW8?


(Jan Fuellemann) #6

You find it in the advanced settings. I think it has been there in version 7 as well… but it only works for the e-mail address you specify in the general settings, not on any you add manually to the site…


(Marc) #7

Already got that ticked

Just had a message from the person I’m on chat with from the ISP they said that the contact form could have an SQL injection in the contact form on the site. They said I need to consult a security specialist so the database can be fully investigated?
Sounds a little to extreme to me.

So not using the built in Contact form and using a third party stack as you mentioned would possibly bypass this?


(Doug Bennett) #8

Not knowing what contact form you are using would make it difficult to say for sure. Don’t know of any that would use mySQL so I would think that the person on chat isn’t really looking at your site. Just going through a “checklist” of possible causes. SQL injection is more likely a Database driven site issue(like Wordpress).

A URL to the site would help folks help you out.


(Marc) #9

www.lucas.media


(Jan Fuellemann) #10

If you are not using SQL I do not see where this can come from - but I am not a security expert. I would just not use the built in form but one of the other forms available. This time with a different e-mail address to see if that worked out.


(Marc) #11

thats the logical solution I will give that a go thanks for your replies.


(Marc) #12

Ironically I already have the DooBox HTML contact stack:-)


(Doug Bennett) #13

There is an email address in the footer (a stack) is that the same address you are having problems with hello@? It appears pretty much in the clear.

The builtin contact form shouldn’t be getting you spam.


(unluckytoe@mac.com) #14

@FutureBoy

I would highly recommend using Joe Workman’s Email Obfuscator instead of using plain text email addresses. I use this with all of my client sites and have yet to hear about spamming issues.

While DooBox’s HTML Contact Form stack is a great solution, you would have more robust security options if you went with Yabdab’s FormSnap or FormLoom.

Just my $.02


(Paul Russam) #15

As @teefers mentioned you have your email address in your footer, it’s not obfuscated and can be read straight from the page code:
CloudApp

Do a google search for email obfuscate to learn more about how to make email addresses be unreadable but still work.


(Marc) #16

Yes I know thats still there and was the actual email that I was originally getting the spam from. I did however keep that there in place to see if that was the actual problem, it isn’t anymore. I changed the email on my contact form on the contact page a couple of times and both times the email used was the one that was getting the spam and no more from the one you have highlighted.
From this it looks like there is a problem with (whoever) being able to get through the backend of the RW site’s built in form?

I will however look into the suggestions of the email obfuscator. I have now change the contact form to the DooBox HTML contact form and up to now no more spam.

Thanks to everyone who has commented, appreciated.


(Marc Vos) #17

I also get spam mails via RWs default contact forms, and even with custom contact forms built with FormPro. This is not about SQL-injection, but about either a very smart robot filling in the form fields, even leaving the hidden one blank, or, and that’s in my case when I look at the e-mail content, people who are hired to fill in contact forms on websites. On some forms I added PHP code to check the referer to prevent using it remotely, but we still get spam emails, so this are people filling in the forms.


(LJ) #18

I don’t think you need more robust security options than the Doobox html ‘honeypot’ approach. The real reason you might want to use something like Formloom (and several others) is that you can build much more complex forms if you need to.


(Lance Harris) #19

I agree with unluckytoe & manofdogz and I have been using FormSnap contact form stack on all my sites for many years and have never had a problem with spam emails.
https://www.yabdab.com/stacks/formsnap


(Amy Wooden) #20

A simple solution is to change how the address appears so bots can’t find it. If you type it out “hello at lucasmedia dot com,” people know what you mean, but bots can’t find it. It’s simple and free.