Honey Pot/Spam protection

[NicoHood]

Is your feature request related to a problem? Please describe.
Currently I get a lot of "Undelivered mail returned to sender" Email, as spam bots enter invalid email into my subscription form.

Describe the solution you'd like
Can't we add a honeypot field, that must be true or false, contain a specific text etc, that is rejected if that is invalid. It would be good, if no user interaction is required, so no CAPTCHA would be nice.

I am using double opt-in of course, but avoiding those tons of invalid emails would be great!

[knadh]

A honeypot field already exists. These must be smarter bots!

Do the spam e-mails have recurring domains? If yes, you cloud add them to the domain blocklist in settings.

[NicoHood]

But it does not exist on the user generated forms. I think you template it used for the global subscription form, not for the one where you can generate and select each list.

They enter gmail addresses for some reasons.

[knadh]

But it does not exist on the user generated forms.

Yep, got it.

[knadh]

Forgot this: you can just add <input type="hidden" name="nonce" /> to your form manually and the honeypot will work in the current version too.

Just merged a change that automatically generates this along with the form code (for the next release).

[NicoHood]

Nice! That is also what I did after you mentioned it first. Let's see how much spam now arrives.

[NicoHood]

Spam is still coming in... Can't we add some other basic protection mechanism?

[knadh]

The only other thing that could work is a CAPTCHA.

[NicoHood]

Is there a way to show statistic from which page the request to subscribe was made? I've added this honey pot to all forms, but I must have missed one or it is not working at all.

[knadh]

No way to figure this out inside listmonk directly. Assuming that you're running it behind a webserver (for SSL), you can refer to the webserver's access logs to figure out.

[NicoHood]

I just added a fixed name to the name field and noticed that the traffic comes from my home (main) page. I've added the honey pot field, which does not help at all. Arent there any other options that we could add (instead of recaptcha)?

[knadh]

The only way would be to bundle an image CAPTCHA which should weed out most bots, except for the very sophisticated ones (which are unlikely to bother signing up to a mailing list maybe). However, an image-only CAPTCHA creates accessibility issues too. Maybe something like this https://www.hcaptcha.com can be an optional plugin.

[srsquare]

A few suggestions to better control spam signups. Rather than a captcha which everyone will have a different preference on which one to use & is a pain for end-users....

1. change the honey pot field to type=text and use a CSS class say .hpfld that is set to hidden, most bots these days are smart enough to ignore type=hidden fields but don't parse the CSS yet

2. do something like this script does to validate new emails https://github.com/daveearley/Email-Validation-Tool and maybe have a setting for each check to determine if we want to use that rule or not. I bet you could find a library like this for written in the correct language for example https://github.com/MailboxValidator/mailboxvalidator-nodejs

Also, be nice to have an automated option that could be run say monthly to clean the list using the same email validation rules.

3. have a hidden field that is set to the current server timestamp on load and based on the number of seconds from page load to submit have a setting to flag it as spam. For example page load and 3 seconds later is submitted that's a bot, but a 63 seconds later is likely not a bot. If that string is not a Unix seconds timestamp, empty, too far in past or future it fails because it has been changed. The range allowed could be a setting.

4. a check to see if bot, this is far from foolproof since most are based on data that can be spoofed & thus not trigger a isbot but it would help. If I understand right listmonk is written using go and nodejs so maybe https://pkg.go.dev/zgo.at/isbot

5. deny repeat submissions for x time may be based on IP, a cookie or a session variable

[j2l]

Hello,
I also have this problem, I had to delete 117 spam subscriptions after one week leave.
I used hcaptcha elsewhere and it's working for me, how could it be implemented on a listmonk server running on docker?
Thanks

[knadh]

hCAPTCHA support has been added to listmonk and will be available in the upcoming release. It should've been this weekend but is delayed by a few days and will be released later this week.

[j2l]

Great! Thank you @knadh

[j2l]

I hope you publish this week 😍
For now, I don't see change at https://hub.docker.com/r/listmonk/listmonk

[j2l]

Any news @knadh on the updated docker image?

[NicoHood]

Hey Guys,
I have to get back here, as my mailing provider blocked me because listmonk has sent out a lot of emails that were bounced. I checked the logs and a lot of bots have subscribed for my newsletter with emails that do not even exist.

I've checked and enabled hcaptcha. Is there any other way to prevent spam with little modification? Did listmonk improve anything beside the hcaptcha in the last releases (I've just upgraded from 2.1)

[knadh]

Whoa, bots have bypassed hCaptcha en-masse? That is very unusual. Apart from that, listmonk has no other bot protection built in (infeasible to have either). It should be handled externally by a WAF or a bot protection mechanism.

[MaximilianKohler]

Do you use Cloudflare Nico? It's a popular way to protect public pages from bots.

[elrumordelaluz]

Sorry if I take advantage of this conversation, I already enabled hCaptcha which is adding ok in the html code shown to be embed in a website, but for some reason it isn't present in the public form online. Is there anything I am missing?
Thank you!
ps/ please let me know if you prefer I can open new issue

[NicoHood]

Bots do not bypass hcaptcha. That is just what I've added yesterday. They passed the normal form.

My wish would be to protect from bots without this additional captcha method. Isnt there a basic solution that would hold off most bots? I mean how do other services like airtable prevent bots without requireing recaptcha?

And no, I dont use cloudflare yet. I wish there was a more simple solution to this.

My E-Mail Service (Mailjet) suggested me to create a sub-account where the account quality is not so important. I could send transactional emails with this sub account to get a better score for my marketing emails. Otherwise they will block my account. @knadh Would it be possible to use a different smtp service just for transactional messages like opt-in?

[knadh]

Isnt there a basic solution that would hold off most bots?

Unfortunately, there isn't anymore. Bots are extremely sophisticated and can even solve conventional graphical captchas in some cases. ;( That's why bot protection services like Cloudflare have become immensely popular.

@knadh Would it be possible to use a different smtp service just for transactional messages like opt-in?

This isn't possible currently. Will see if this can be made configurable in the future.

[MaximilianKohler]

Cloudflare is fairly simple. Just do some web/video searches for "how to block bots with cloudflare".