[Plugin: Fast Secure Contact Form] Flood of Spam via email via Contact form

If you read my replies here, there are bots and there are human spammers. You cannot stop most human spammers.
Out of the thousands who are using this form, really only a small amount have this problem.

Try to resolve it like this:
Make sure to Enable the CAPTCHA on the form settings page, Enable the Akismet plugin with and Akismet API Key and set the Fast Secure Contact Form setting to “Block spam messages”, or “Tag as spam and send anyway”.
Also if you are being spammed frequently you can install Bad Behavior plugin and enable http:BL with a free api key.

I have some honeypot field ideas and maybe I could add an optional http:BL but I would need to test them on one of your servers that is being spammed. Would some of you who are being spam attacked want to give me more information about your forms and the spam you get? Would you contact me and let me have access to your site to test some code for these honeypot ideas. It really would help to test this stuff on a form that is receiving a stream of spam. I have a 4 day weekend coming up and might have time.

I am using captcha but not akismet. I will go install it too and turn it on per your instructions. Here is an example of my spam via form:

[Spam moderated. Please do not post copies of spam in these forums]

May I suggest?

I’m using NoSpamNX to fight comment spams, and it works. Some said it can’t fully stop spams, but in my sites I almost never get any spam after using it. I like it but unfortunately it works only for comment not other kinds of form. The author of the plugin said it uses additional formfields to detect spam.

Perhaps you can have a look of the plugin.

I added a honeypot anti-spambot setting you can enable in the next version after 3.1.6
If you are having a problem with active spambots right now, you can try it right now. After I get a confirmation it works I can release 3.1.6.x

This new setting enables empty field and time based hashed server side checked honyepot traps for spam bots. For best results, do not enable unless you have an active spam problem.

This feature does not stop human spammers

Backup your Forms and Settings: (I do not expect any trouble but just in case)
You can backup/restore your Fast Secure Contact Form forms and settings using a tool on the contact form settings page.
Do not auto delete the plugin from wordpress

Manual Un-install:
FTP to the server and delete this folder: /si-contact-form/
the folder is found in /wp-content/plugins/
When the plugin folder is deleted, the forms and settings are still saved in the database.

Auto Install:
On the plugins admin page, click “Add New”, search plugins for Fast Secure Contact Form
When you see it in the search results, click “Install”. The plugin will be automatically downloaded, installed and activated.

After you upgrade to the new version you have to enable this new feature: go to the form edit page and check this setting:
“Enable honeypot spambot trap” (look for this setting in the CAPTCHA settings section on the form edit page. This feature will be disabled by default)

Let me know if the spam goes away, if it does not, it could be human spammers..

Hi Mike-

Thanks for your efforts on this. I almost never use a common url for the contact for (e.g. /contact or /contact-us/) and we’re not seeing any spam inundation on our projects. *Except* the one contact form whose url is /contact/. That one gets hit a fair amount and I just haven’t gotten around to dealing with it since the server side spam detection does a good job of flagging it. I’ll go install 3.1.6.1

Anyway… folks, if you’re having ongoing issues please see Mike’s earlier responses in this thread. He covers all of the major vectors for spam and gives good suggestions. My personal experience is again:
* don’t use a common url for your contact form
* consider putting a deny entry for your contact form into robots.txt
* in my opinion, captcha is just about useless these days.

I’ve experienced a specific type of spam increase on a client site. We’ve always had the odd submission (3 or 4 a month) where the sender is .gmail address and the FirstName and LastName fields are the same (interesting?).

These have increased throughout December 2012 and we are now getting about 10 a day. We always had captcha enabled on High and Akismet enabled and set to mark and deliver. Akismet would only mark about 50% as spam

So today I’ve updated to latest version, enabled the honeypot option, changed the URL and added the new url to robots.txt – lets see what happens!

Hi Mike, great work on your plugin overall. In relation to the other comments here I was wondering if it would be possible to include another CAPTCHA in the form plugin? I think the SI CAPTCHA is great I was just thinking about trying something else out with this form.

Let me know if this is doable and I look forward to your response.

Thanks!

I wonder whether the folks who receive spam have Jetpack enabled as well. I never received spam until I started to use Jetpack. Then I suddenly received loads of spam. The Jetpack team said all I needed to do was mark those messages as spam, but my time is more valuable than to click through a few hundred spam messages a day.

The stream of spam stopped once I removed Jetpack.

dutchintouch, We don’t use jetpack on any of our sites and have the problem on all sites this is used on. We are confident he will come up with a great solution.

Funny how naif some users are.
I worked with Secure Captcha before I even used Mike’s Forms and WordPress. You would take days hours/days to crack the code because it’s md5 hashed and this changes each time yoy access.
We have zero spam via the forms and manage more than 120 forms online. The only spam which actually bypasses it, is entered by people manually offering their services.
Additionally if you have replaced a form with spam problems with the Fast Secure Contact Form and you keep the same name then spammers can use the same form name – at least change then the subject line so you can identify if this is coming from Mike’s form.
And yes too many plugins do slow down the web site and definitely can interfere with each other.

Isn’t there a way to simply block hyperlinks in contact form submissions?

One of the non-profit site’s I maintain was recently discovered by a spammer who just likes to post lots of hyperlinks. But there’s no need for hyperlinks in contact form submissions from that site.

There must be an easy way to block hyperlinks in submissions …does anyone know how (wihout writing new code to do it)?

Blocking hyperlinks may sounds okay, but I don’t think it is a good thing to do.

For examples, I saw many posts in WordPress forum asking for supports. For make it easier for the plugin’s authors, they usually ask the user to post their website URL on the author site’s contact form. Perhaps you may ask why don’t they post it directly on WordPress forum? For privacy reasons especially about security issues, it is not wise to make it public.

https://perishablepress.com/5g-blacklist-2013/

Hi Mike, I just installed your Fast Secure Contact Form Plugin.
Nice form.
However, I disabled VCita. I don’t want anyone to see my schedule and set an appt via phone or at my office. However, on my Content Form – Full Profile is active and when you click on it it opens the VCita form that allows you to schedule an appt and see my calendar.

How do I disable this Full Profile on my contact page?

Thanks!