November 28, 2018 at 6:55 am #134133
I have a contact form on my site that’s been running great for some time. See https://www.customapps.co.za/
Recently I’ve started to receive a ton of spam leads though.
What’s strange is that the required fields are not filled out, and when I click “View Lead Details” in the email notification, the lead does not seem to exist.
It looks like the lead is not being saved in the database (possibly because the required fields are not being entered), but its still triggering the email notification and the zapier hook.
Why is the Leads plugin allowing any processing of the form if the required fields are not present? Surely it should not trigger the email notification or the Zapier hook unless all required fields are submitted?
All my fields (except for the anti-spam honeypot field) are marked as required. This includes name, surname, email, phone and message. The spam enquiries are only including the email address.
I’ve added a screenshot which shows the form (and the required field prompt if you try submit), the email notification where you can clearly see the required fields are not present; the view when clicking “View Full Lead Details” in the email – the lead doesn’t exist; and lastly the zapier task history clearly showing the zapier hook was fired, and again no values for the required fields.
I’m getting between 5 and 10 of these spam enquiries a day, and it’s causing a major hassle to filter out which are legitimate and which aren’t.
StephenNovember 28, 2018 at 2:54 pm #134136
Will you link me to the form for testing?
Also instead of using our form anti-spam honey pot field, the Google ReCaptcha extension provides back-end processing validation so if a visitor did not properly fill out the recaptcha they will not be allowed through.
Will you upload the screenshot too? For some reason the BBPress attachments extension isn’t processing first-post file uploads. It’s a running problem I haven’t been able to fix yet.
Hudson AtwellNovember 29, 2018 at 2:46 am #134144
Thanks for the response.
The form can be seen on my site at https://www.customapps.co.za/contact/
It’s also used on the site homepage (right at the bottom) and appears in a few other places on the site.
I was considering the Google ReCaptcha plugin, but was a little reluctant to spend additional money on the plugins, because it seemed the main plugin is not functioning as expected – if that makes sense. I.e. the validation does not seem to be working, so I wanted to fix that first.
The spam leads all seem to be coming from the home page.
Screenshot is here: https://drive.google.com/open?id=130O-7qMonMe-jtXkFTVg010g16jQIE7n
Attachments:November 29, 2018 at 4:03 pm #134148
That is strange. I am not sure how it’s possible that they made it through without the required inputs. I’m also not sure how an email can arrive without a lead being stored. Are we sure the lead is not stored and located in the trash bin?
The code logic is set that if an email is detected, and not spammed by Akismet, then the email notifications are sent out and the lead is stored. Something truly odd has happened if the email is sent but the lead is not stored. Usually when leads do not store I suspect there has been a 500 error, or a timeout error. When errors like these occur I suggest increasing site memory limits.
Following the advice in this article should help you increase these limits:
But this doesn’t account for why only leads with missing data are receiving email notifications but not making it into leads. Have any fully-populated leads not made it into the Leads database as well?
With Google ReCaptcha, JS captchas on the front end will need to be solved and then in addition the token the JS returns is validated on the client side before we store the lead and send the emails. So it’s a two part validation with ReCaptcha.
You also do not have to use Inbound Forms. You could also use Gravity Forms, Ninja Forms3, or Contact Forms 7. You’d have to pick up one of our extensions to use that though.
Hudson AtwellNovember 30, 2018 at 3:48 am #134153
I’ve double checked ‘Trash’ and the leads are not there.
I also checked the database directly, and there are definitely no wp-lead posts for these spam leads.
I’ve checked the error logs and I’m not seeing anything related to this.
I had another example lead with missing required fields come through earlier, and there wasn’t anything in the logs around the time the lead came in. So, no errors, no lead stored in the database, but I did get the email notification.
I don’t have akismet enabled on my site.
It seems that the leads that have all the required fields are being stored in the database just fine. Also, these leads all seem to be legit (some low quality/junk, but not entirely spam). So somehow it looks like if the fields are all there, everything is working fine. But somehow leads without the required fields are getting through. I’m guessing its some sort of web crawler or bot submitting the leads. It seems correct to me that they are not being stored if they don’t have all the required fields, but then they should not trigger the email or zapier web hook either.November 30, 2018 at 9:23 am #134154
I’m taking another look at the code and think I have a way to further prevent this, if I spam all submissions without a mapped email field.
I’ll run a few tests today and hopefully have the updates ready and in by next release.
You must be logged in to reply to this topic.