[Plugin: Fast Secure Contact Form] receiving vCita spam!

See my post on the same topic. Your email address(es) have already been sent off to vCita. So will any new email address you enter to have form data sent to. With your blog address and name.

Hi Crudhunter,

I saw your post on the same subject. It really offends me what is happening with my (until today) clean email address. Installing a plugin on a site you have built with great care needs trust. You need to trust the author of the plugin. So far Mike has done a great job, he created a great plugin, he gave great support so he earned a lot of trust. This vCita thing is not a trust-building action, to say it mildly.

I still hope he will soon come with a message that he made a big mistake in going into business with vCita and that the plugin will be freed of this sort of thing. The last thing I need is a plugin in my website that can’t be trusted. If Mike feels he needs to make more money, why not make it a commercial plugin?

In the meantime I will have to look for an alternative, as I have no intention op updating my other websites and have the same result.

Any ideas someone?

I agree with you there.. Mike have a great plugin. Great work as I also stated in my other post. Until the connection with vCita.

I am personally OK with having vCita as meeting functionality (or better a service that does not take advantage of the connection by hooking themselves into my sites to use my system as a Spam sender).
I don’t mind Mike making some money from hooking up people that want such a service either. Good for him.

BUT. It should be a non-default. No handing off random email-addresses to the meeting provider by default. If I were to sign up for a meeting service I would NEVER have used the email address I created for the contact form. They are assuming that this is an email address for public consumption, that I would want meeting requests on.

Also, it should be clearly documented up front what the side-effects will be both Spam and Privacy wise if one (as a personal, actual decision) enable the functionality in a plugin.

vCita’s method of abusing the connection seems very backhanded, when used on someone that never voluntarily signed up for their services or voluntarily gave them these multiple email addresses.

Why I would want my sites to start picking up Spam from someone else’s server in the middle of the night when am sleeping is beyond my comprehension. My server mail-logs clearly show that my web-server (apache user) started distributing Spam both at 2:50 AM and 3:00 AM, naming vCita as the culprit. Those timestamps matching my every 10 minute cron-job to call on wp-cron to refresh caches and assure scheduled postings.

Hi this is Mike. Please give me some time to review your concerns and address them in the best way, make changes as needed. I have a daytime job so please allow me time to work this out in due course.

Thanks,

Mike

Hi Mike,

Thanks for your reply. I will wait for your reaction. I was soooo dissapointed. You have such a great plugin and it is such a pity to see things going like they do…

Sorry for any inconvenience.
Here is a little explanation about the issue:
I have recently partnered with vCita to enable Fast Secure Contact Form new optional capabilities such as meeting scheduling, video meeting, phone conferencing and collecting payments. There are thousands of Fast Secure Contact Form users who chose to add vCita to their contact form and many of them use it for free. You can enable or disable the feature on the form edit page.

This was only a one time limited email announcement message of new features for Fast Secure Contact Form to existing Fast Secure users, letting them know about the new options. The message was sent from the plugin directly, we are not attempting to collect data.
If you do not wish to activate the vCita service, you can ignore this (one time)message and no further messages will be sent to this address.

Here is some info from vCita to hopefully address your concerns:
vCita services never affect existing Fast Secure users and your contact form will never be changed even if you upgrade to a version that has vCita capabilities.
We only enable vCita by default if you are a new user that download the plugin for the first time – so you can see and try the option – and of course disable it not interested.
vCita sends one email to existing Fast Secure users, letting them know about the new options.
vCita complies with CAN-SPAM and if you unsubscribe, we’ll never contact you again.
vCita will never share your email address, and never use it for any other service but your contact form.

We definitely want to follow WordPress guidelines and will make some adjustments to be sure we are doing that.

Thanks for your patience, a new version 3.1.4.1 is just released. We removed the email announcement feature.

We made two other changes to better align with WordPress guidelines:
– vCita is disabled by default.
– Email will only be passed to vCita servers when you choose to enable vCita services.

Hmm.

“Sent from the plugin directly”.. Yes, exactly. That was the point.
But since the content and structure of those emails does not exist in the actual code, it would have been offloaded from outside.

Every form set up by its default (in 3.1.4 at least) enables vCita and sends them the email contact entered in that form. By the time the form config is displayed and one turns off vCita, it seems to be too late already.

AND YIKES.. I just noticed that the Banner add that is shown at the top of the admin screen also sends ones email address off to vCita, if the vCita banner is randomly shown. (Since there are only a choice between a vCita ad or a ThemeFuse Ad, that would mean 50% of the time the admin screen is reloaded, the potentially changing email addresses in the various forms are shared with vCita.

BTW. The latter is still the case in the new 3.1.4.1 version.

This is Ran from vCita.
I am sorry for any inconvenience caused to Fast Secure users.
Mike has a great plugin and throughout the process of working with us he always put his users at first priority.

Yes, we are a commercial service, just like many other WordPress plugins, but that doesn’t make us bad guys or spammers.
1000s of Mike’s users would tell you that we offer a great service that complements their contact form perfectly, even if they just use the free version.

We appreciate your feedback. We worked with Mike to release an update within hours to address the concerns mentioned in the thread:
– vCita is NOT enabled by default now.
Therefore your email will not be sent to vCita servers
– The banner ad fills up email address for user convenience and only when the user actually clicks the banner. If you do not sign-up we won’t do anything with this email. Anyway – we’ll work to remove that as well in the next version.

Bottom line – we want the best for Fast Secure Contact Form users and we respect their privacy. We will continue to work with Mike to bring vCita’s value to his users, while not exposing their email address unless they choose to.

Thank you, crudhunter, for discovering those disturbing issues, and for revealing the ugly practices going behind our backs. Your posts were an eye-opener for me, and probably for everyone else who read them! As a loyal user of Fast Secure Contact Form, I am DISGUSTED and OFFENDED by the turn this plug-in is taking. I only hope that the next version will resolve those issues completely, or else I will be abandoning this plug-in, and I will be advising my friends to do the same.

Hi Mike,

Thank you for your quick reply. The magic word in using a plugin is TRUST. As a plugin user, selecting a plugin for a certain function, you ask yourself if the plugin author can be trusted to create a well written plugin that doesn’t break your website, and you ask yourself if the plugin author can be trusted to update the plugin when needed and provide some form of regular service.

Over the years you have really earned that trust. You have written a fantastic plugin that is downloaded over 2 million times and your service was really very good.

But… everything that happened with this vCita code has not helped to sustain that trust. And the way it works out now, by first getting a new update out there, and then hearing from crudhunter that a new backdoor e-mail sending piece of code behind a banner has been introduced is not helping either. One tends to wonder what else is in the code that has not been found yet.

I understand that you want to make some $$, and maybe a lot of $$, from cVita. There is no problem there. I understand that fully and you deserve it. But why this way? Why not make a seperate plugin for vCita and have your plugin work with that. Why clutter your code with this vCita function if it is only used by 0,2 % of your users and if it upsets your other users?

You wrote:

This was only a one time limited email announcement message of new features for Fast Secure Contact Form to existing Fast Secure users, letting them know about the new options. The message was sent from the plugin directly, we are not attempting to collect data.

Then why was this e-mail crafted the way it was? With a link to the vCita website to “unsubscribe” from the service…

Furthermore you write about vCita and how nice and well-behaved these people are. That is all good and well, but why should I trust them that they won’t abuse my email address? Because they say so? Trusting them would have been a lot easier if they made another introduction, not by spamming me through your plugin. I understand that the mail I received has been a collaboration between you and vCita.

I hope this is all a one time only mistake and that all will be corrected in the following update. I also hope you realize that, at least in my opinion, the tactics that were used, and are still being used, are not in accordance with WordPress guidelines, and are not helping you to further the succes of your (until yesterday) great plugin.

I trust you will take all this to heart and do the right thing. I’m looking forward to your next message/update.

I wish you all the best and hope you make a lot of $$ with this plugin. It would be well deserved. But please, please find another way to do that, so I can confidently keep using the plugin. There are a lot of good examples out there that work really well, and that don’t violate user-trust.

yeahwow,

To be fair. The issue I mentioned of the Banner link passing off email was not a new issue introduced.

The vCita ad banner was always setup so if you clicked on it, the URL would pass your email-address as a parameter to vCita. Most likely to pre-fill a sign-up form. For “user convenience” as Ran called it.

I think that in the hurry to fix some of the issues and get the 3.1.4.1 version out there, Mike probably just did not notice that additional issue, so it still showed in the new 3.1.4.1 version of the plugin.

BTW.. I think your idea of adding hooks in the plugin to allowing the install of a separate vCita add-on is a great idea. That would separate the issues entirely. A clean contact plugin, with a separate “Meeting” add-on people can choose to install.

@crudhunter
OK, thanks for clarifying the banner issue. If I accused Mike wrongly of introducing a new backdoor I apologize.

Let’s wait and see what happens. That is what I will be doing right now. I want to trust Mike and keep using the plugin, but something has to be done and corrected.

The seperate vCita plugin would be the best way to go, I guess, but that is up to Mike and vCita. I’m waiting to see what happens…

@mike

Just a thought:

If you looked at a plugin that said in the description:

This plugin may, upon installation or if you accidentally check the wrong check box, send your email address and perhaps some other private data to a bunch of really nice guys that promiss not to use that information.

Would you install that plugin?

I also am extremely disgusted and disappointed by this. I have the Fast Secure Contact Form plugin installed at three sites. The email addresses at two of those sites previously received spam, but the address at one site was known only to a couple people and never received any spam whatsoever until this affair. Now it is trashed.

There is nothing wrong with trying to make money with a commercial venture, but there is a lot wrong with taking advantage of trust. If you want to help market vCita, you should do it in ways that don’t mislead and that don’t steal data from people who have trusted you and considered you a friend. I suspect your donation income will drop by far more than you receive from vCita.