The contact module needs to write the X-Originating-IP headers in the mail. Right now people obtaining the spam mail via a form on a site that they not administrating, have no other option than to disable the contact possibilities in the profile.
If the X-Originating-IP header were in the mail, it would be easier to file an abuse of the original IP address submitting the form.
Issue fork drupal-171886
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
Dave ReidThis is a feature request, so it can only be fixed in D8 now.
Comment #2
bertboerland CreditAttribution: bertboerland commentedFeature request or not, it is *highly* needed and should have been in all contact / mail forms.
Comment #3
Dave ReidMail API is extendable and I'm sure you could write a small module to fill the need in the meantime.
Comment #4
TwoDwoukd also love to see this feature, we're getting a lot of mails that end up in spam folders and I think this header would help.
If there's a D6 (or D7) custom snippet to do this, I'd appreciate if someone could point me there. Meanwhile, I'll start experimenting with the API on my own and post my findings here if there are no objections.
Comment #5
deekayen CreditAttribution: deekayen commentedI just threw this together. There were a few other modules which were needing similar functionality.
https://drupal.org/project/x_originating_ip
Comment #6
kjholla CreditAttribution: kjholla commentedI have been working on a similar issue, but with version 6.30.
I have modified the contact.module file to introduce the following lines into the contact_mail function:
Obviously, this assumes that you have the antispam module installed, which I do. Along with this, I use a custom procmail recipe on my email server to catch all emails with the X-My-Spam header and route them straight to the junk folder.
I know this isn't the ideal solution for this, but it works for me as of now.
Regards,
Kiran
Comment #7
andypostIs this still needed?
there's a request object that have all headers
Comment #8
deekayen CreditAttribution: deekayen as a volunteer commented@andypost, I don't think having a request object with headers resolves this. The request, which I was hoping to see, would have the contact module add X-FORWARDED-FOR headers that email server admins could read - even if they have nothing to do with Drupal.
My 7.x module "resolves" it for 7.x, but it really just turns this thread into a question of resolving it in contrib or core. The argument for core would be because most admins probably aren't aware of the X-FORWARDED-FOR email header, why they would need it, or the fact that a contrib module would add it.
Or you could go the no-bloat-in-core route and say the 8.0 module ought to be upgraded to 8.1, and so on in perpetuity.
Comment #9
andypost@deekayen I think we can get this anytime in core (patch with tests) - 8.0 if this is a bug or 8.1 as feature
Is there's agreement that most of users will need that?
Comment #10
bertboerland CreditAttribution: bertboerland commented@andypost it is what is needed to catch spam by bots to scan mail (detect and flag mail from roque ip addresses) and what is needed by any sysadmin to take action against either the ISP (file an abuse) or block IP addresses. Not having this makes us very VERY bad net citizens...
Comment #11
andypostLooks that can be made BC way
Issue summary still needs update
Comment #12
andypost@all I think we need https://en.wikipedia.org/wiki/X-Originating-IP so issue need re-title
Originating IP |^X\-Originating\-IP:(.*)|mi The IP address of the computer on which the email originated.
But I'm sure that should be
\Drupal::requestStack()->getMasterrequest()->getClientIp()
Comment #13
bertboerland CreditAttribution: bertboerland commentedI think we need both. One to catch proxys and one to catch the client. Also note https://www.drupal.org/project/x_originating_ip
Comment #14
andypostI'm pretty sure we need only one because "XFF" in smtp is account list but http supposes this as hosts
PS: would be nice addition to implement ban module integration for that somehow in follow-up
Comment #15
deekayen CreditAttribution: deekayen as a volunteer commentedX-FORWARDED-FOR is a HTTP header and doesn't belong in the SMTP transaction.
Comment #16
andypostLooks this change can go only to 8.1
Comment #29
smokrisComment #31
smokrisI've opened a MR that adds the
X-Originating-IP
header to emails sent via site-wide and personal contact forms.Comment #33
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.
Removing credit from myself for the rebase. The MR has a fetch error so seeing if the rebase shakes things loose.
This was previously tagged for issue summary update per #9 which still needs to happen.
Added framework manager if they have any input. Should this go through security?