Emails

[BobD]

Why am I constantly getting emails that the subject line starts with  " Comments (Our Family History!)" then includes the Web address of my Family Tree, and finishes by trying to sell me something. This only started happening about a year ago. I mark them as SPAM in my email but since they come from all different email addresses, they continue to go to my inbox and they seldom go to my spam folder.

[Rob Severijns]

Bob,

You have to be more specific.

What TNG version are you using, Which security meassures did you take to prevent spam, which security mods do you have installed?

Do you recieve the spam mail via the mailsystem of your hosting provider or via another emailsystem?

Do you have a screenshot of a spam email?

You could check the link below to see if your emailaddress has been compromised.

Have I Been Pwned: Check if your email has been compromised in a data breach

 

Kind regards,

Rob

 

[Chris Lloyd]

Are you using any spam control on your contact page?

[Rob Severijns]

Hi Chris,

 

Since many genealogists have the personal data of living people in their databases they must take meassures to mitigate the risk of that specific data being compromized.

I'm not using any specific spam control on my contactpage.

I do however apply several meassures to mitigate the risks of recieving spam and theft of my data.

To achieve this I have implemented meassures within TNG, my hostingprovider, my FTP server, my email client and within windows itself.

In general:

• I use strong passwords and change them from time to time
• I use a password manager (in my case BitWarden but there others that are good too (internet provides several sites that do a comparison between password managers)

TNG:

• I use https//
• My site is open to registered users only.
• I use recaptcha V2
• I customized my Index.php to open with the login.php.
• I use robots.txt to tell bots not to crawl my website
• I use the bot-trap mod to keep bots out that don't comply with the robot.txt settings. I can reccomend this mod for it really helps to keep bots out.
• I use a dedicated email account for my genealogy related email (email client hosted via my hostingprovider)
• I customized my .htaccess file denying certain DNS from accessing my site (i.e Deny from 80.248.225.154)
• I use the Password Generator by Michel Kirsch to generate strong passwords for myself and my users

Hostingprovider:

• My genealogy related email is handled via my hosting provider who uses several spam filters to protect my email account.

FTP server:

• See the link How to secure an FTP Server or SFTP Server: 8 essential tips (cerberusftp.com) to read about securing your FTP server.

Email client:

• All other email is handled via my Internet Service Provider (ISP) who uses sevaral spam filters to protect my email account.

Within Windows:

• I custimized my hosts file to blacklist several DNS (i.e.  0.0.0.0 006.free-counter.co.uk and many more) and locked the hosts file from being hijacked.

EDIT:

• I use Duckduckgo as my search engine, Malwarebytes and Ghostery to upgrade my browsing security.
• I always empty my browser cache when I close my browser.

 

So I take quite a few meassures in trying to keep my data and the data of my users safe.

Is it enough? most likely not but the least I can do is try is to keep my doors closed.

 

Kind regards,

Rob

[Katryne]

Hello Rob !

Could you give us the content of your robot.txt, please ?

[Rob Severijns]

Hello Katryne,

My robots.txt looks like this:

User-agent: *
Disallow: /bot-trap
Disallow: /
 

The bottrap line is placed by the bot-trap mod.

A lot more info on robots.txt can be found via the link below.

Robots.txt

EDIT:

The fololowing link gives a lot of info on security and TNG too.

Security

 

Rob

Edited May 3, 2021 by Rob Severijns
Added an extra link on security

[Katryne]

Merci Rob ! I had already the bot-trap line. I added the 3rd line.

[Roelj]

After reading this discussion i have tried to install the bots-trap.mod, but i fails.
Obvisiously because i have placed the config-files and mods outside the TNG-root.

Clicking on the "Run Checks"-button gives a 404-page error, because it is not linking to my mods.

I tried to contact the mod-author, but his website is not reachable.

Would anybody know how i can modify the mod-file to make it work?

[Michel KIRSCH]

the run check button runs the program mods/bot-trap_v12005/bt_check.php which means "TNGRootFolder/mods/bt_check.php"

if your mods folder is outside the TNGRootFolder, the program is not found.

Try to modify the cfg file :

replace :

window.open('mods/bot-trap_v12005/bt_check.php','_blank')

with

window.open($modspath/bot-trap_v12005/bt_check.php','_blank')

the program will run. BUT !

The bot-trap folder is created at ../../bot_trap

which means "above/above/" mods folder and In your case, probably out of the site's scope...

The author uses old code with ../ notation in place of TNG facilities as $tngpath, $modspath, etc...

I don't understand why you hide your mods folder...?

The best you can do is to move your mods folder to its original place...

Michel

[Ken Roy]

Michel,

The Bot-Trap mod needs serious updates.  Someone who better understands web servers need to help update this mod.   Changing the cfg file to use $modspath does not resolve all issues with this mod.  The run check fails with several PHP errors because the bt-check.php module cannot find the TNG files.

1 hour ago, Michel KIRSCH said:

I don't understand why you hide your mods folder...?

As to renaming the mods folder, it is a valid TNG approach to prevent others from access folders on one's web site.

[Roelj]

Thank you both Ken and Michel for the answers.

As Ken allready wrote it is a suggetion that TNG makes to store some files outside the TNG-root.
So i have created a tng_config folder outside the public html where all config-files are stored.
i have also created a tng_data folder which includes backups, extensions, gedcom, gendex and mods.

It works fine with all TNG-functions and with all other mods that i have installed.

Roel
hhtps://roeljongman.nl 

[Michel KIRSCH]

1 hour ago, Ken Roy said:

The Bot-Trap mod needs serious updates

OOOOhhh Yes !

[Michel KIRSCH]

5 hours ago, Ken Roy said:

As to renaming the mods folder, it is a valid TNG approach to prevent others from access folders on one's web site

Renaming the mods folder is one thing. Moving it is another thing.

If code must be running from this folder (and it is the case of bot-trap), the program has no way of knowing where it is installed and where the tngroot is...

The program can not access the config.php to know in which folder it stay...

Michel

[Roelj]

I do not have enough programming knowledge, but the only thing i can say is that all other mods  (44) that i have installed, just work fine with my configuration.

The path to the mods folder is defined in the config.php which is reached by the subroot.php.

Roel
https://roeljongman.nl

[Michel KIRSCH]

I understand Roel,

but i think bot-trap is the only one which

create a subfolder in the TNG root and use program files that are stored in this subfolder.

If the mods directory is not in the TNG root, the program can not see where it stay...

I test some solutions to let it work in these conditions, but nothing found...(except saying bot-trap what's the name of the TNGroot directory before it installs)

Sorry

Michel

[Roelj]

Ok. Fair enough. I will think about my possibilities:
move the mods bacj to the TNG-root or
not use the bot-trap-mod

[Michel KIRSCH]

OR recreate a subfolder "mods" in the TNGroot, extract the bot-trap zip in it and proceed to a manual installation...

Michel

[Michel KIRSCH]

maybe a solution :

- recreate the mods folder in yout tngroot

- change the name of the mods folder in your settings to this new mods folder

- extract this version 6 (the same as the 5 but without error message when running the check)

- install the mod via the mod manager (don't be afraid : Mod Manager will show that you have only one Mod !)

- adjust your preferences in the Mod with the Edit options (mail,etc..)

- REset the name of your mods folder in your settings

I think this will be OK, but you have no more access to the settings of this mod.

To uninstall it, you must follow the same procedure...

Michel

 

 

bot-trap_v12.0.0.6.zip

[Roelj]

Unfortunally this solution did not work.
I did as you described and tried to install the mod.

The run checks worked fine now but then i got the message 'unable to install'

See screenshot below.

 

[Michel KIRSCH]

Roel, the install program search for the line

User-agent: *

in your robots.txt file, but doesn't fint it.

look in this file, maybe is it one space too much or too less in this lines, or it doesn't exists...

the file exists, it is verified.

Michel

[Roelj]

This was indeed the problem. It works now.

[Michel KIRSCH]

OK Roel.

Michel