# Spam Prevention ## Spamcheck in powermail ### Introduction ![bestpractice_spamshield1](../../Images/bestpractice_spamshield1.png) Spamshield is a method to protect your mailforms from spam without the usage of a captcha field. After a submit, different spammethods must be passed: - **Honeypot**: An invisible field is added to the form. When it contains a value, the submission is spam. - **Linkcheck**: Checks if any of the field values contain an URL. When the configured URL limit is passed, the submission is spam. - **Namecheck**: Check if first- and last name fields contain the same value. - **Sessioncheck**: Check if the user loaded the form page before submitting it. - **UniqueValues**: Check if all the field values are distinct. If at least two values are the same, spam chance increases. - **String Blacklist**: Check if field values contain a word from a configured list of disallowed words. - **IP-Address Blacklist**: User IP address must not be on the list of disallowed addresses. - **Rate limiting**: User IP address may submit form only N times within a time frame Every submitted form will be checked with this methods. Every failed method adds a Spam-Indication-Number to a storage. The sum of the Spam-Indication-Numbers leads to a Spam-Factor (from 0 to 100%). Per default every mail with a Spam-Factor of 75% is declined with a message. ### How is a Spam-Number related to the Spam-Factor? ![bestpractice_spamshield2](../../Images/bestpractice_spamshield2.jpg) In this example leads a Spam-Indication from 4 to a 75% chance of spam in the mail(3: 66%, 12: 92%, etc...) ### Configuration via TypoScript ``` plugin.tx_powermail { settings.setup { spamshield { _enable = 1 factor = 75 email = administrator@domain.org emailSubject = Spam in powermail form recognized emailTemplate = EXT:powermail/Resources/Private/Templates/Mail/SpamNotification.html logfileLocation = typo3temp/logs/powermail_spam.log logTemplate = EXT:powermail/Resources/Private/Templates/Log/SpamNotification.html methods { # Honeypot check 1 { _enable = 1 # Spamcheck name name = Honey Pot # Class class = In2code\Powermail\Domain\Validator\SpamShield\HoneyPodMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 5 # method configuration configuration { } } # Link check 2 { _enable = 1 # Spamcheck name name = Link check # Class class = In2code\Powermail\Domain\Validator\SpamShield\LinkMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 3 # method configuration configuration { # number of allowed links linkLimit = 2 } } # Name check 3 { _enable = 1 # Spamcheck name name = Name check # Class class = In2code\Powermail\Domain\Validator\SpamShield\NameMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 3 # method configuration configuration { } } # Session check 4 { _enable = 1 # Spamcheck name name = Session check # Class class = In2code\Powermail\Domain\Validator\SpamShield\SessionMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 5 # method configuration configuration { } } # Unique check 5 { _enable = 1 # Spamcheck name name = Unique check # Class class = In2code\Powermail\Domain\Validator\SpamShield\UniqueMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 2 # method configuration configuration { } } # Value blacklist check 6 { _enable = 1 # Spamcheck name name = Value blacklist check # Class class = In2code\Powermail\Domain\Validator\SpamShield\ValueBlacklistMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 7 # method configuration configuration { # Blacklisted values (could also get read from a file - simply with FLUIDTEMPLATE) values = TEXT values.value = viagra,sex,porn,p0rn } } # IP blacklist check 7 { _enable = 1 # Spamcheck name name = IP blacklist check # Class class = In2code\Powermail\Domain\Validator\SpamShield\IpBlacklistMethod # if this check failes - add this indication value to indicator (0 disables this check completely) indication = 7 # method configuration configuration { # Blacklisted values (could also get read from a file - simply with FLUIDTEMPLATE) values = TEXT values.value = 123.132.125.123,123.132.125.124 } } # Rate limiter 8 { _enable = 1 # Spamcheck name name = IP rate limiter # Class class = In2code\Powermail\Domain\Validator\SpamShield\RateLimitMethod # if this check fails - add this indication value to indicator (0 disables this check completely) indication = 100 # method configuration configuration { #see "DateTimeInterval" class for allowed values interval = 5 minutes #number of form sumissions within the interval limit = 10 # Parts of the rate limiting key # - placeholders: __ipAddress, __formIdentifier # - form values: {email} # - hard coded values: foo restrictions { 10 = __ipAddress 20 = __formIdentifier } } } } } } } ``` ### Debug and finetune the Spamsettings It is useful to activate a notify mail to the admin (for an initial time period e.g.) if a submit failed (see TypoScript above how to enable). In the mail, you see which checks failed and the overall Spam Factor. This is an example of the mail content: ``` Possible spam in powermail form on page with PID 3 Spamfactor of this mail: 92% Failed Spamchecks: 0: nameCheck failed 1: uniqueCheck failed 2: blacklistStringCheck failed Given Form variables: 2: Alex 9: Alex 10: alexander.kellner@in2code.de 3: Viagra and Free P0rn See link on http://freeporn.de or http://freeporn.com Senders IP address: 155.233.10.8 ``` As an alternative, you can enable a logfile (see TypoScript above how to enable), where all spam is logged. This is an example content of the logfile: ``` ---------------------------------------------------- 2015-10-19 12:03:39 PID: 184 Spamfactor of this mail: 92% Failed Spamchecks: - linkCheck failed - uniqueCheck failed - blacklistStringCheck failed Given Form variables: - Name: Viagra - E-Mail: Viagra - Text: http://www.test.de http://www.test.de http://www.test.de Senders IP addess: 127.0.0.1 ``` ### Register own spamcheck methods Of course you can register own spamshield methods. See manual part "for developers" for examples. ### Disable spamcheck on some condition Of course you can disable all spamshield methods on some conditions. See manual part "for developers" for examples. ## Captcha Using a captcha extension also helps to prevent spam. You can simply add a new field of type captcha. A build-in calculating captcha will be shown in frontend. If you want to use another extension, you can install the extension "captcha" from TER and configure powermail to use this extension for every captcha: `plugin.tx_powermail.settings.setup.captcha.use = captcha`