Send-to form spammers
Ugh. Spammers are truly the bottom feeders of the internet. I discovered recently that my development site was being used to send unsolicited email. My sincerest apologies to anyone who got junk mail from an fprimex.com address.
I have fixed the problem, and outlined for other Plone users below some precautions to take so that they too don't get used to make the spam problem any worse.
The main issue is that Plone has a feature through which you can email a link to someone using an online form. It's a "I bet Bob would want to see this", click send-to, put Bob's email into the form, click send scenario. Unfortunately, this feature is available to anyone and can be repeatedly abused by scripts and lowlifes.
Here's a checklist to get rid of Plone's send-to functionality:
- Take the "Allow sendto" permission away from everyone
- In the Zope Management Interface (ZMI) of your Plone site, select the "Security" tab.
- Scroll down to the "Allow sendto" permission and uncheck all of the boxes in its row, including "Acquire".
- This will make it so that people can still reach the sendto form, but when they attempt to send, they'll get an error. This is the minimum to fix the problem.
- Remove the sendto document action
- In the ZMI of your Plone site, select portal_actions
- In portal_actions, select document_actions
- Either of these achieves the same effect for end users:
- Delete sendto
- Select sendto, then uncheck Visible
- Replace the sendto_form page with a disabled message
- In the ZMI of your Plone site, select portal_skins
- Select the plone_forms folder
- Select the sendto_form, then click the Customize button
- In the template, delete the form and replace it with something like "This form has been disabled."
Note that doing only #2 will still allow spammers to reach and use the sendto form if they know the URL.
