Allowing topic creation through direct delivery email in makes my forum vulnerable to spammers

Recently my personal forum has become the target of email spam, apparently always coming from different auto generated email addresses on domains like qq.com, 139.com etc that I have put on my blacklist. Clearly I am doing it wrong… can anyone advise?

See screenshot. Discourse is sending emails to each of these email addresses, and I have now received a warning from mailgun that I have surpassed sending 10,000 emails this month.

Generally this forum has little to no traffic at all, but I still want to allow emailing in for various purposes. I am using mailgun for outbound mail, and have set up direct delivery for inbound mail, with a mail-receiver.yml. My suspicion is that I need to add some info to mail-receiver.yml to prevent these messages from reaching discourse at all but I am not sure how to do it. Or is there another way to block domains from outgoing mail from within discourse?

This is the contents of the message my discourse is sending:

We’re sorry, but your email message to [“foo@mydiscourseforum.org”] (titled 顶 级 菠 菜 注 冊 嶺 领 1 8 ⑻ え 找 美 女 Q485947940连结604959COM ) didn’t work.

Your reply was sent from a blocked email address. Try sending from another email address, or contact a staff member.

I had the same problem. I’m using the incoming mail server and tried adding qq.com to the blacklist, but it didn’t work, I think because they have apparently hacked a bunch of servers, so the mail isn’t coming from qq.com, but instead the hacked server, so the blacklist doesn’t work.

I ended up just disabling incoming email altogether. (Probably not a solution for you).

And it does seem that discourse is sending a “Your email didn’t work” message to all of those.

2 Likes

Thanks, Jay! It helps to know I’m not alone. :wink:

1 Like

The way i eventually solved this problem is to turn on post approval for incoming emails. This is done by setting the approval level limit to 1 instead of 0.

So all posts from email gets added to the pending list. Then you can delete those users and blacklist their ip.

Cons of this is that a post will be created for each. This will inflate your db.

Can you assist here @mpalmer? What do you recommend?

3 Likes

OK, based on what I’ve seen here and found in my explorations, I may have found an interim solution. Not great but at least not generating gazillions of emails.

  • removed qq.com etc from the discourse blacklist
  • disabled my own email notifications

Now I can delete these messages and staged users at my convenience, though it is going to be a lot of them - a new one is created every minute or so.

I suspect that a longer term solution will be to set up a blacklist to prevent emails from these domains reaching discourse at all, at the postfix level or perhaps as an admin setting that prevents sending or receiving mail from blacklisted domains.

Or maybe (not my preference) I switch back to the POP polling, and let a mail server handle the spam filtering? Or install spamassassin or some such - has anyone done that on the same server hosting a discourse site?

The trouble is these spammers are also using other domains besides the ones on my own blacklist, so the occasional spam will always find its way through and I will be playing a constant game of whack a mole. Adding a line to mail-receiver.yml and rebuilding each time is cumbersome.

2 Likes

You can ban SMTP sender domains with at SMTP time with sender_access rules, and do pretty much anything you like with mail via header checks. Given how heavily abused qq.com is, that’ll probably go a long way to solving your immediate problem.

Discourse with incoming e-mail enabled is really very similar to an old-school mailing list platform, with a better web interface, and so the vast majority of the same abuse controls work quite adequately. These include things like not allowing unregistered users to post via e-mail – realistically, there are no mailing lists that allow such behaviour, because it invites exactly the sort of misadventure you’re seeing here.

The one thing that Discourse is lacking in this respect is subscribe (or, in this case, forum sign up) via e-mail – sending an e-mail to <list>-subscribe@example.com gets you a response back with a confirmation code or URL, etc. I doubt that’s going to holding back thousands of potential contributors from being involved in your forum, though…

4 Likes

Is there a link on how to do this in the direct delivery email topic? I suspect this will come up a bit.

1 Like

Thanks for the suggestions, Matt. I will think on it - it all makes sense. In the meantime my temporary fix appears to have worked and I have stopped sending responses. Now I just need to figure out how to delete all these users and their messages until the spammers give up on me… :wink:

My own use case is a bit different from what you are describing, but I imagine it’s something that other sites might also be interested in getting to work. My forum is private and I do not allow just anyone to post topics. However, I have a few email addresses that I allow anyone to send to. Those emails are delivered to me as discourse messages. The senders are added as staged users. I use Tickets Plugin 🎟 and assigned to make sure I follow up.

I love this setup which has been working incredibly well for the last several months, and allows me to operate a discourse forum without maintaining a separate email account externally with gmail etc. I just have digitalocean and mailgun, and the domain name registration pointing the domain and I’m done.

I looked a bit at postfix settings. Can you give some pointers on how to configure postfix in this docker setup? Also, is there any way (within discourse or with postfix) to just completely ignore emails from blacklisted domains? I just want their emails to disappear into a black hole. The sender_access rules appear to send bounce messages.

3 Likes

Thanks, Stephen!

I would be happy to do what you describe but it doesn’t seem to have any effect on messages to groups, which is the only thing I allow topic creation through email for. See screenshot below - perhaps the “email in min trust” could be adjusted to also require minimum trust level to send messages to groups?

I’m also finding that my system is now still sending emails to the email addresses on the blacklist… really it should ignore them as I wrote up separately in https://meta.discourse.org/t/feature-request-do-not-accept-or-send-email-to-blocked-users-or-domains/118670?u=tobiaseigen.

Relating to this topic, it seems to me my problem would mostly go away if discourse simply ignored emails from blocked users or blacklisted domains. Currently it responds with an email notification, generating tens of thousands of needless emails and triggering mailgun’s warnings. (I have no evidence to prove this, but I suspect these responses also encourage the spammers by showing a sign of life)

This is a bit draconian and only matters for sites where topic creation is allowed through email, so it could be an admin setting.

7 Likes

An appropriate howto has been written, and link thereto has been added in the direct delivery email topic.

6 Likes

Thanks to @mpalmer’s howto, I have been able to resolve the OP and I will be able to deal with spam arriving via direct delivery from spam domains like qq.com. Many thanks again!

Now all I need to do is delete the 150+ spam accounts and messages associated with qq.com! Is there a bulk admin task for this, e.g. a rake task to delete all accounts and posts matching email domain?

3 Likes

You should be able to run this from the console to easily delete them:

destroyer = UserDestroyer.new(Discourse.system_user)
UserEmail.where("email LIKE '%@qq.com'").each { |ue| destroyer.destroy(ue.user, delete_posts: true, context: "qq.com users are spamming us")}

(as always, take a backup first)

5 Likes

Thanks! But does that also delete their posts?

Yes with the delete_posts: true argument to UserDestroyer.

UserDestroyer will actually fail if there’s still posts belonging to the user.

5 Likes

Hoo! That worked. Thanks, Michael, for saving me 3000+ mouse clicks. :computer_mouse:

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.