Captcha for public API - Githubissues

knadh / listmonk

High performance, self-hosted, newsletter and mailing list manager with a modern dashboard. Single binary app.

https://listmonk.app

GNU Affero General Public License v3.0

15.4k stars 1.41k forks source link

Captcha for public API #2038

Open alxjsn opened 2 months ago

alxjsn commented 2 months ago

I've read through previous issues and it seems like enabling captcha is the main recommendation to help combat spam. Though, it seems that even with a captcha enabled it doesn't prevent someone from just spamming using the /api/public/subscription endpoint.

Is this the intended behavior? I haven't come across this in documentation and wasn't expecting that.

knadh commented 2 months ago

Hi @alxjsn. "Enable public subscription" enables the form page (with CAPTCHA done separately) and also the public API endpoint. You are right though, it should be documented that the API end point should be blocked in Nginx or whatever other reverse proxy if it's not desired.

thueske commented 2 months ago

Same issue here. Used caddy for disabling the route:

respond /api/public/subscription* 403

thueske commented 2 months ago

Well, but there are still lots of bots. The public subscription page is not activated, I use a form field:

<form method=‘post’ action=‘/subscription/form’ class=‘listmonk-form’>
          <div>
          <h3>Subscribe</h3>
          <input type=‘hidden’ name=‘nonce’ />
          <p><input type=‘email’ name=‘email’ required placeholder=‘E-Mail’ /></p>
          <p><input type=‘text’ name=‘name’ placeholder=‘Name (optional)’ /></p>

        <p>
          <input id=‘712fe’ type=‘checkbox’ name=‘l’ checked value=‘712fe7bf-8f02-491c-ab66-0f0d378d3a2e’ />
          <label for=‘712fe’>Interessenten</label><br /><span>Liste mit allen die schon mal mit uns in Kontakt waren oder sind. </span>
        </p>

        <p><input type=‘submit’ value=‘Abonnieren’ /></p>
    </div>
</form>

Any ideas on spam prevention? Getting almost 200 posts a day.

MaximilianKohler commented 2 months ago

Any ideas on spam prevention? Getting almost 200 posts a day.

What do you mean 200 posts? Where are you seeing that?

thueske commented 2 months ago

Posts = subscriptions. Sorry, my mistake.

I now integrated HCAPTCHA, but this is extremely slow and sometimes difficult to solve. Any chance to get Cloudflare Turnstile working?

MaximilianKohler commented 2 months ago

I haven't tried to verify it, but there's info in this thread on Cloudflare Turnstile: https://github.com/knadh/listmonk/issues/1617

knadh commented 2 months ago

Perhaps hCaptcha should be replaced with something like https://altcha.org - Altcha is very interesting, but I haven't seen it in the wild yet.

simonmanuel commented 1 month ago

Perhaps hCaptcha should be replaced with something like https://altcha.org - Altcha is very interesting, but I haven't seen in the wild yet.

Thank you for this. Looked it up and found that they have a WordPress plugin that runs inside the WP installation. There's almost no friction. Looks promising; will update after a week if all's well.

simonmanuel commented 1 month ago

Tried altcha.. Spam still kept coming through although, it slowed down considerably. Went back to using Forminator+Webhooks+Automatisch to handle form submissions. ZERO spam.

Set up another dummy form just to see if it'll get picked up again with altcha protection.

In the meantime, there this other project called mosparo https://mosparo.io/. It is highly customizable & will include PoW in the next release.