Sometimes I find customer that has no email address. How this get possibile?

[PeopleInside]

How can you explain this? Why sometimes I see such customer in my ticket system that is also require a captcha to accept ticket by webform?

[PeopleInside]

I would also suggest to add an indicator to let know operator if user has accessed the ticket system by web like an indicator that say if user has accessed or not the web interface. In this case, as you can see, I see a ran doom string user that has a not valid email address and I have no indication if this account has been created by email or web form. I also unable to understand if active user are just a registered user or if has set a password following the email.

• Maybe a verified indicator can be useful. Verified means user has clicked the set password link received by email and have successfully setup a valid password.
• Maybe also an indicator if user has logged in for the first time or not the web interface can be useful.

[PeopleInside]

This issue is maybe related to the fact I use the service Mxguarddog (https://mxguarddog.com) for prevent email spam. Seems for some reason Uvdesk take information in the header about mxguarddog and recently when I open a ticket from a mail sent from me it create two customers: one with my email address and another one with a Mxguarddog email address so seems to be a bug

[PeopleInside]

Closing for now. Need more details for report this... if I will have will reopen it

[PeopleInside]

This issue still be valid. Today I found again a customer that result has created ticket from online webpage. How is possible as I have captcha and how this account can have no email? I also be unable to understand when this account was created.

What kind of issue or vulnerability can be in your software?

As you can see the fake customer has no email address, no ticket opened. I cannot also disable the account (now I have deleted) because without an email address I get error.

@papnoisanjeev

[vaishaliwebkul]

@PeopleInside Could you please tell me from where these customers are created?? Are they created from any customized web form?

[PeopleInside]

This is something you need explain to me, not me to you. I have no custom form just https://helpdesk.peopleinside.it/it/usr/create-ticket/

Your user interface doesn't give IP info, time and date of creation of the user, etc. I have no logs for understand why sometimes I find customer random that has no email address, no ticket open and is indicated by your ticket system as created from web.

[PeopleInside]

Also today I have customer empty

You need add some logs or something to let me understand more how account is created. Right now admin cannot know the user IP if they created an account, I have no date no time of when the account has been created. The system is yours and are allowing anonymous user that has no email address and no tickets.

I even cannot know if this users are able to login or not as every account created is flagged as active by default, no info if the user has been logged in or not so I ask you help to diagnose and resolve this issue. thanks.

[PeopleInside]

I really want help with this as I feel not safe until this issue is not explained or fixed by you. @papnoisanjeev

I hope a future version, next new version can fix this issue. If you have no idea than you need add log or other tools to understand why this situation happen. It's your software, I have no particular custom form.

What I just know is that I find random users that has no email address, no ticket and the system show this users has been created by the web interface.

I am the only one admin, no operators and I use a long and complex password. I don't know if the password for the operator can have special characters, maybe in the new version?! I'm always scared because email in uvdesk never support strong password and create strong errors.

[PeopleInside]

I added some details that can regard also this issue in the ticket #25126

[PeopleInside]

New captcha has been added. I'm closing this for now and let's see if happen again in the new version V -1.0.13

[PeopleInside]

Issue again happened. I found in clients profile active, created by the web interface with a not valid email address.

What kind of bug do you have or what kind of potential security issue the registration have? I have no info about:

• when the account has been created ( so date and time )
• the IP from where the account has been created
• how is possible the account is active if the email address is invalid?

Note that ReCaptcha is active on my installation! I cannot also deactivate this account because the system, when i try to save, tell me the email address is invalid.

[lucrus73]

Any updates on this? I'm running 1.1.0 and I got a few spam messages going through UVDesk. I don't know if it's related to this or something different.

[PeopleInside]

Hi @lucrus73 , have you set on Google ReCaptcha the maximum difficulty and strong spam settings in Google? I don't have many spam tickets: recently I had no more this issue but this never mean this issue is resolved.

What you can try is to check your Google Captcha settings and insert the maximum difficulty.

[lucrus73]

check your Google Captcha settings and insert the maximum difficulty.

There is no such setting in my Recaptcha v3 control panel. I can only add/edit/remove domains and check/uncheck 3 options that have nothing to do with the captcha difficulty...

[PeopleInside]

@lucrus73 thanks for the info, I will check if I have new suggestion for you but I cannot right now. Currently I am not having any-more spam tickets but I have also not opened ticket recently.

My issue here is because some account are created with not a valid email address. If in your case spam bot or person are able to bypass the Google Captcha and insert a valid name and a valid email address I don't think there is a lot that UVdesk can do.

I believe they can do something if customer with a not valid email address are created as in the screenshot I showed here.

If I will have more update from me to help you more @lucrus73 I will write here. Now is late and I have to go to sleep. Have a good time :)

[PeopleInside]

@lucrus73 I'm back this morning. I'm using the Google Invisible ReCaptcha 2, and here the option exist. What you may want to do is ask to the UVdesk team if Google ReCaptcha V3 is supported as you are using that.

A question for you, the Google ReCaptcha is visible in your submitting form? It requires to check the captcha checkbox?

In my case yes.

You can maybe try to see if switch to ReCaptcha 2 has better spam result, settings the difficulty level to the maximum.