Canada Pharmacy Spam

Yesterday had the same problem. thousands of entries in ninja form. the sender receives a copy of the message. So they misused my mail server to advertise their pharmaceutical products in spam emails. the strange thing is i had a google recaptcha built in. and in the statistics at google recatpcha there were NO ENTRIES. somehow the spammers managed to get around in the ninjaform recaptcha. If I remove the form from the website, the spam continues. So you do not control the ninjaform via the website but somehow via an API. it only stopped when I deactivated the sending of emails under “promotions”. PLEASE NINJAFORM you have a security hole!

Yesterday had the same problem. thousands of entries in ninja form. the sender receives a copy of the message. So they misused my mail server to advertise their pharmaceutical products in spam emails. the strange thing is i had a google recaptcha built in. and in the statistics at google recatpcha there were NO ENTRIES. somehow the spammers managed to get around in the ninjaform recaptcha. If I remove the form from the website, the spam continues. So you do not control the ninjaform via the website but somehow via an API. it only stopped when I deactivated the sending of emails under “actions”. PLEASE NINJAFORM you have a security hole!

I also run a website that’s getting Canadian pharmacy spam, despite using reCAPTCHA on the form. Upgrading to Ninja Forms 3.4.24.3 didn’t help.

Same here. I think the problem lies with Ninja Forms. I have since deactivated the plugin and the spam stopped. Will be switching to another form provider.

A form plugin is only ever going to be able to do so much to prevent spam. At a certain point, you will need to consider other options. I say this as someone managing multiple websites using Ninja Forms also experiencing the same attacks over periods of time. But this isn’t a new issue for any form plugin, so instead of waiting for an update to somehow fix this ( to which the spammers will eventually overcome again ), you might be better served to implement some spam filtering tools like CleanTalk or others filtering services.

Absolutely getting hammered with Canada Pharmacy spam as well. It started over a month ago with just a few emails, then briefly seemed to go away on its own, and now we’re getting hundreds of emails an hour (in spite of removing the form from the site).

• This reply was modified 4 years, 4 months ago by tkellblz.

@patrick-b Thanks for the idea. I think that will work for many people as the stop gap solution by @them.es also seems to be working for now. Unfortunately a third party anti-spam service is not a solution for us, as it creates GDPR headaches for German sites and filters out some real submissions. We would rather deal with occasional spam submissions than miss out on real leads. So we rely on the honeypot and captcha, which has worked well for years.

However with this particular spam, from my experience and going by what others have said, it appears the captchas and front-end forms are completely bypassed, meaning thousands of spam submissions get through in a short space of time. That is definitely something NF needs to fix ASAP. It’s a great plugin, but if they aren’t going to fix this we need to know so we can start looking elsewhere.

@joegestalt , i tryed this “i dont like spam” plugin , and my idea was to set links on blacklist .. like “http” “/“ and so on.

the most websites from me idont need any links in the form. but i have websites who the customer send a link to me, for example dmca forms… so i cant use this blacklist everywhere.

THE IMPORTANT INFO for ninja form is, that the google recaptcha admin console dont register any resolved, unresolved recapcha or any views…

so the spammer must find a backdoor in ninjaform (newest version) and jump over the recaptcha.

Ninjaform suport dont answer about this since 5 Days.

We’re experiencing the exact same issue. Looking at server logs they are posting data to admin-ajax.php directly, and it’s being accepted even though no RECAPTCHA token is provided.

I’m still experimenting, but I believe I’ve narrowed down the issue to the Conditional Logic extension. Is anyone else who is being affected despite using reCAPTCHA also using this extension?

I have identified the issue and figured out a solution with a filter. This will prevent the bots from being able to bypass reCAPTCHA, which they can do if the Conditional Logic extension is installed. It won’t help if the form does not have a CAPTCHA.

In wp-content/ create an mu-plugins/ directory, if it doesn’t exist. Then, inside that directory, create a fix-ninja-forms-captcha.php file, and include the following exact code:

<?php
add_filter(
	'ninja_forms_submit_data',
	function( $form_data ) {
		$form_fields = Ninja_Forms()->form( $form_data['id'] )->get_fields();

		foreach ( $form_fields as $id => $form_field ) {
			$form_data['fields'][ $id ]['id'] = $id;

			if ( ! isset( $form_data['fields'][ $id ]['value'] ) ) {
				$form_data['fields'][ $id ]['value'] = '';
			}
		}
		
		return $form_data;
	},
	0,
	1
);

Thanks for the patch, Jacob! Can you give an explanation of the bug and your patch? I assume from your patch that the form fields were somehow missing an ‘id’ and ‘value’, and maybe these missing entries were causing validation to automatically succeed?

How does the Conditional Logic plugin factor into this? Does it have a bug that causes these values to be removed? Or just never set in the first place?

@looksink Essentially attackers are submitting false submission data directly to admin-ajax.php, but without the reCAPTCHA field. When forms are submitted, the submitted data is validated against the form’s fields as set in the back end. Since the reCAPTCHA field will fail validation if it’s empty, it should fail if it’s missing from the submitted data entirely.

The problem is that the Conditional Logic extension filters the submitted data prior to validation in such a way that any form fields that are missing from the submitted data are not validated at all.

My snippet inserts an empty value for all form fields that are missing from the submitted data into the submission, so that the Conditional Logic extension does not mistakenly filter them out. This prevents false submissions from bypassing validation by excluding the field from the submission.

• This reply was modified 4 years, 4 months ago by Jacob Peattie.

@joegestalt @xxlescort @looksink @sunnypek @patrick-b @tkellblz
Can you make sure that your Ninja Forms plugin is updated to the latest version. Can you also add a reCaptcha field to your form and see if you are still receiving the spam entries.
If you continue to have issues, or have any paid plugins installed, can you contact our official support channel. ninjaforms.com/contact

Forum Guidelines

@jmcelhaney Thanks for your response. I work on dozens of websites with Ninja Forms, all of which use the newest version, 3.4.24.3. The vast majority don’t have paid plugins installed. None of the 6 spammed ones did. I submitted one of the first affected sites to your support 1.5 months ago (also using 3.4.24.3) and you installed conditional logic and blocked submissions with “Canada Pharmacy” in it. This site was not affected again. But of course this is not a sustainable solution, as once the spammers stop using the term “Canada Pharmacy” in their spam, it’s game over. We also need a solution that will work for all our clients’ websites, most of which use the free version of NF.

A few days ago I implemented the solution from theme.es on all websites with NF, blocking submissions with certain terms in it and haven’t had any problems since then. But for the same reasons as above, blocking certain terms is not a sustainable solution. Also, seeing as about a month went by between the two spam waves, it’s really too soon to know for certain if these measures are actually working or not.

@jakept Thanks heaps for this!! None of the spammed websites had the conditional logic extension. But from what I can tell, this code seems like it should also work without the extension. Have tested it and it seems to work fine. From what I can tell, as long as the spammers don’t bypass that filter somehow, this should protect all forms with a captcha!