Tagged: , , ,

Viewing 27 posts - 1 through 27 (of 27 total)
  • Author
    Posts
  • February 7, 2018 at 6:14 pm #909332
    hasbeat

    Hello,

    A client of mine has been receiving spam through the Enfold contact form.
    Required fields were not filled in. The spam mail shows the following text:

    By sending this contact form, I agree that the personal details I have entered (first and last name, e-mail address, country, subject and message) will be stored and used exclusively in processing my request. My personal details will be treated with strict confidentiality and will not be passed to third parties.: false

    All contact forms use captcha. Scan summaries show no infected files.

    Please find your login credentials below. Thanks for your assistance.

    February 7, 2018 at 8:52 pm #909396
    Basilis

    Hey hasbeat,

    Can you please post for us the different licenses of the theme per domain, so we can go through?

    Thank you very much

    Best regards,
    Basilis

    February 8, 2018 at 8:24 pm #909928
    hasbeat
    This reply has been marked as private.
    February 10, 2018 at 10:54 pm #910658
    Basilis

    Hi,

    Thank you very much for that, we do appreciate it a lot!
    I am going here
    https://www.klotz-ais.com/contact-form/

    and testing the forms and I cant see any issue related to it or any problem when trying to submit, so there is no JS error.
    To move forward can you please show us an email, so we can see a bit more how it comes?

    Best regards,
    Basilis

    February 12, 2018 at 11:02 am #911005
    hasbeat
    This reply has been marked as private.
    February 12, 2018 at 8:10 pm #911309
    Basilis

    Hi,

    Hm, that looks strange because no other field is selected.
    It seems to be that they have just closed the messages as a scan and emailed, so they can create a spam flow to the server provider.
    That happens to all the domains?

    Best regards,
    Basilis

    February 13, 2018 at 8:29 am #911564
    hasbeat
    This reply has been marked as private.
    February 13, 2018 at 9:45 pm #911906
    Basilis

    Hi,

    That is really strange.
    not sure where the issue is comming from – what we can suggest is to re-create the capctcha from the google api.

    Best regards,
    Basilis

    February 14, 2018 at 8:53 am #912139
    hasbeat
    This reply has been marked as private.
    February 14, 2018 at 8:40 pm #912461
    Basilis

    Hi,

    how you enabled your API key? Just change it from there so we can test if that could help!

    Best regards,
    Basilis

    February 19, 2018 at 1:15 pm #914229
    hasbeat
    This reply has been marked as private.
    February 20, 2018 at 3:36 am #914638
    Ismael

    Hi,

    I can’t submit the details in the contact form when the mandatory fields are empty. How are you doing it? Are you receiving the email even without a form submission?

    Best regards,
    Ismael

    February 20, 2018 at 8:08 am #914729
    hasbeat
    This reply has been marked as private.
    February 20, 2018 at 8:49 pm #915004
    Basilis

    Hi,

    It simply cant be from the form.
    The point is that they are doing it from the source. They scan your source of the code and they are going from there to send messages.
    There is not a lot we can do from out side right now.
    You need to investigate, find the IP and block it…

    Best regards,
    Basilis

    February 26, 2018 at 5:40 pm #917900
    hasbeat
    This reply has been marked as private.
    February 28, 2018 at 8:32 am #918851
    Ismael

    Hi,

    They can get around with the contact form validation by editing the shortcodes.js file directly in the browser sources panel. This block of code checks if the fields are valid.

    				if(send.validationError == false)
				{
					if(form.data('av-custom-send'))
					{
						mailchimp_send();	
					}
					else
					{
						send_ajax_form();
					}
				}

    You can send the form without filling in the fields by removing the validator.

    
					if(form.data('av-custom-send'))
					{
						mailchimp_send();	
					}
					else
					{
						send_ajax_form();
					}

    I don’t know what they will accomplish by doing that but it’s possible.

    Best regards,
    Ismael

    February 4, 2019 at 2:23 pm #1062685
    jochenmaier

    Hello,
    one of our customers is having the same issue: From time to time, the contact form is being send without filling out the defined mandatory fields. We’re using the most recent versions of everything (WordPress, Enfold, Plugins).

    Can you please have a look at this?

    • This reply was modified 5 years, 8 months ago by jochenmaier.
    February 4, 2019 at 6:16 pm #1062775
    hyperbrand

    Hi there,
    a client just informed me that they have exactly the same issue. Form being sent with passing the mandatory fields and captcha. Is this something we need to worry about from a security standpoint? Is there a fix for that behavior or is this a technique every form can be tricked with? This feels not ok.

    Best,
    Thorsten

    February 6, 2019 at 5:12 am #1063449
    Ismael

    Hi,

    @jochenmaier: Which of the mandatory fields are sent without being filled? Are you receiving any kinds of spam emails?

    @hyperbrand: No, it’s not really that critical. Worst case scenario is you’ll receive a lot of spams from automated scripts or bots. You can install a more secure contact form plugin like Contact Form 7 plus the the Google reCAPTCHA extension or the Honeypot plugin.

    // https://contactform7.com/recaptcha/
    // https://wordpress.org/plugins/contact-form-7-honeypot/

    We might release a spam protection feature for the theme’s contact form aside from the default captcha field, but it’s still under consideration because users have to generate a new pair of API key from Google, which proves to be troublesome after the last time they introduced the map API keys.

    // https://www.google.com/recaptcha/intro/v3.html

    Best regards,
    Ismael

    February 6, 2019 at 9:21 am #1063529
    jochenmaier

    Hi Ismael,

    thanks for your reply.

    Which of the mandatory fields are sent without being filled?
    >> The only mandatory field, that is being filled out, is “Einwilligung zur Verarbeitung meiner personenbezogener Daten.”
    >> All the other mandatory fields e.g. Name, E-Mail, … are not being filled out.

    Are you receiving any kinds of spam emails?
    >> yes.

    Thanks!

    February 6, 2019 at 11:21 am #1063561
    Ismael

    Hi,


    @jochenmaier    : Thank you for that info. How long have you been receiving these spam emails? Would you mind if access the WP dashboard and you file server? Please create a new ticket or thread and post the necessary login details in the private field.

    Best regards,
    Ismael

    February 6, 2019 at 1:15 pm #1063598
    hyperbrand

    Hi all,

    similar behavior over here. The first checkbox regarding GDPR is mandatory. The second Checkbox is optional. None of the other form fields are being sent.
    Ich habe die Datenschutzerklärung gelesen und stimme der Verwendung meiner Daten im Rahmen meiner Anfrage zu.: false
    Ich möchte darüber hinaus regelmäßig per E-Mail über Wildnis in Deutschland informiert werden. Über (Email address hidden if logged out) kann ich diese Zusage jederzeit widerrufen.: false


    @Ismael    : To avoid spam protection because of user convenience is the way to go then? I think that is not what I as a customer expect from a theme developer. Telling a client the theme developer might consider fixing a spam problem with his contact form is embarrassing. Turning away from your responsibility to fix/optimize the spam protection of Enfold just feels bad. Sorry, but that’s how your response comes across.

    Best,
    Thorsten

    February 6, 2019 at 6:32 pm #1063715
    jochenmaier

    Hello Ismael,
    please find more information in the private content section.
    We receive Spam from time to time since about 3-4 weeks.
    BR, Jochen

    • This reply was modified 5 years, 8 months ago by jochenmaier.
    February 7, 2019 at 11:15 am #1064017
    Ismael

    Hi,


    @hyperbrand    : I’m sure you’re fully aware of the captcha option in the contact form element and I think it counts as spam protection, so I’m not sure why you’re saying we are avoiding this. Yes, it’s basic but that is enough for most users and that is actually what you’ll get from a lot of themes available in the market. We are just considering adding more security features but even that will not ensure that you’ll prevent these spams because everything can be hacked nowadays, it’s just a matter of time.


    @jochenmaier    : Please transfer your details to another ticket or thread because the original poster here will be able to see it. Let’s continue there.

    Best regards,
    Ismael

    February 7, 2019 at 11:19 am #1064020
    Ismael

    Hi,


    @jochenmaier    : Please include the login details of your file server so that we can add or edit files.

    Best regards,
    Ismael

    February 7, 2019 at 11:39 am #1064033
    jochenmaier

    ok – done: https://kriesi.at/support/topic/spam-e-mails-without-mandatory-fields-are-being-sent-via-enfold-contact-form/#post-1064029

    February 8, 2019 at 7:23 am #1064434
    Ismael

    Hi,


    @jochenmaier    : Thanks. Let’s continue on that thread.

    I’ll be closing this thread for now. Please feel free to open a new thread if necessary.

    Best regards,
    Ismael

  • Author
    Posts
Viewing 27 posts - 1 through 27 (of 27 total)
  • The topic ‘Receiving spam through contact form’ is closed to new replies.