I have been getting spam email from an address which I use as the contact email for my RW site. I have change this now three times (to make sure I find the source of where the emails are being sent to because I have the same email used on another service)
So now I have one email address that is only used on my contact page and after changing I get a spam email within the hour. I contacted my ISP earlier today and they didn’t really offer much only saying for me to change passwords etc etc the usual basic stuff.
Question is how can I make may site more secure so (whoever is currently accessing my email address in my contact page) can’t continue to do this?
You find it in the advanced settings. I think it has been there in version 7 as well… but it only works for the e-mail address you specify in the general settings, not on any you add manually to the site…
Just had a message from the person I’m on chat with from the ISP they said that the contact form could have an SQL injection in the contact form on the site. They said I need to consult a security specialist so the database can be fully investigated?
Sounds a little to extreme to me.
So not using the built in Contact form and using a third party stack as you mentioned would possibly bypass this?
Not knowing what contact form you are using would make it difficult to say for sure. Don’t know of any that would use mySQL so I would think that the person on chat isn’t really looking at your site. Just going through a “checklist” of possible causes. SQL injection is more likely a Database driven site issue(like Wordpress).
If you are not using SQL I do not see where this can come from - but I am not a security expert. I would just not use the built in form but one of the other forms available. This time with a different e-mail address to see if that worked out.
I would highly recommend using Joe Workman’s Email Obfuscator instead of using plain text email addresses. I use this with all of my client sites and have yet to hear about spamming issues.
While DooBox’s HTML Contact Form stack is a great solution, you would have more robust security options if you went with Yabdab’s FormSnap or FormLoom.
Yes I know thats still there and was the actual email that I was originally getting the spam from. I did however keep that there in place to see if that was the actual problem, it isn’t anymore. I changed the email on my contact form on the contact page a couple of times and both times the email used was the one that was getting the spam and no more from the one you have highlighted.
From this it looks like there is a problem with (whoever) being able to get through the backend of the RW site’s built in form?
I will however look into the suggestions of the email obfuscator. I have now change the contact form to the DooBox HTML contact form and up to now no more spam.
Thanks to everyone who has commented, appreciated.
I also get spam mails via RWs default contact forms, and even with custom contact forms built with FormPro. This is not about SQL-injection, but about either a very smart robot filling in the form fields, even leaving the hidden one blank, or, and that’s in my case when I look at the e-mail content, people who are hired to fill in contact forms on websites. On some forms I added PHP code to check the referer to prevent using it remotely, but we still get spam emails, so this are people filling in the forms.
I don’t think you need more robust security options than the Doobox html ‘honeypot’ approach. The real reason you might want to use something like Formloom (and several others) is that you can build much more complex forms if you need to.
I agree with unluckytoe & manofdogz and I have been using FormSnap contact form stack on all my sites for many years and have never had a problem with spam emails. https://www.yabdab.com/stacks/formsnap
A simple solution is to change how the address appears so bots can’t find it. If you type it out “hello at lucasmedia dot com,” people know what you mean, but bots can’t find it. It’s simple and free.
