We have email self registration enabled (and has been working very well.) When a prospective student wants to signup - they go through the login page to the Create a New Account form. I have the Notify site administrators about new self registration signups plugin installed. It notifies the admins and they then send a confirmation email and the student signs in. As I say, it's been working quite well.
But now the spammers are using that form. (Even with captcha enabled and configured.) It just goes to the admin. But today, she got a phishing email. They used that form to determine the admin email address and sent the phishing email.
I thought I would restrict that process to by adding "Allowed Email Domains". I can manage those and we can direct unusual email addresses to contact us. The Denied Email Domains would just be an ongoing battle.
Now my problem. The "Allowed Email Domains" setting works well - but provides an error message below the email field. Which is fine. But it lists all the allowed email domains - which kind of defeats what I'm trying to do. Is there a way to prevent those email domains from showing?
Hi Grant,
Just to clarify one of the things you mentioned, "They used that form to determine the admin email address" - I assume you mean the sign up form. Can you please explain how they obtained the admin email address from that?
Just to clarify one of the things you mentioned, "They used that form to determine the admin email address" - I assume you mean the sign up form. Can you please explain how they obtained the admin email address from that?
Thank you! You've solved my problem by asking me a question.
When the spammer submitted the form, it returned a confirmation of receipt message. I had forgot I had that set to be sent from noreply - which goes nowhere. That's not where the admin email was coming from.
The admin email address had to be coming from somewhere else. And it seems the admin changed the message and added a line if they required any info - and then the admin email address.
I looked at the email headers and came to a wrong conclusion. There are no other email referenced than the noreply one. (Except in the body of the message which will be changed.)
When the spammer submitted the form, it returned a confirmation of receipt message. I had forgot I had that set to be sent from noreply - which goes nowhere. That's not where the admin email was coming from.
The admin email address had to be coming from somewhere else. And it seems the admin changed the message and added a line if they required any info - and then the admin email address.
I looked at the email headers and came to a wrong conclusion. There are no other email referenced than the noreply one. (Except in the body of the message which will be changed.)
Oh great, glad you solved it!