Spam being sent using WooThemes contact form
As reported by IT.
It appears that some Woo themes, like Simplicity, have a Contact Form template. This template has a honeypot, but has no other anti-spam tools. We should migrate users away from it.
For the time being, I'm going to disable emails originating from this page. Then, I'll do the following:
- See how many users have contact forms powered by this tool
- If it's a small number, come up with a plan to migrate them to a better contact form tool (which we can integrate more easily with anti-spam tools)
- If it's a large number, add a CAPTCHA or Akismet integration
#1 Updated by Boone Gorges almost 3 years ago
Emails from Woo Themes contact forms disabled in https://github.com/cuny-academic-commons/cac/commit/24a46474758d41ba98924ae483590a64e3c88c61.
#2 Updated by Boone Gorges almost 3 years ago
Here's a list of the sites that have pages using a template-contact.php page template:
 => http://acert.commons.gc.cuny.edu  => http://trial1.commons.gc.cuny.edu  => http://cynthiatobar.commons.gc.cuny.edu  => http://irnweb.commons.gc.cuny.edu  => http://shareling.commons.gc.cuny.edu  => http://testhelp.commons.gc.cuny.edu  => http://acertdev.commons.gc.cuny.edu  => http://acertdev2.commons.gc.cuny.edu  => http://cunysteam.commons.gc.cuny.edu  => http://jasonmleggett.commons.gc.cuny.edu
A couple of these are non-production sites (acertdev and acertdev2, maybe others) and one is the one from the original report (cynthiatobar). So we're looking at a small number. My suggestion is to send out an email to the admin of each site, encouraging them to move to Contact Form 7. Here's a first go at a draft:
This email is to let you know about a change in policy regarding contact forms on CUNY Academic Commons sites. You're getting this email because your site [url] is using a contact form powered by your theme, [theme name]. The Commons has recently experienced a number of instances where these contact forms have been used to generate spam emails. Unfortunately, the nature of this specific contact form is such that it's difficult for the Commons team to introduce additional layers of anti-spam protection. As a precautionary measure, outgoing emails from all contact forms of this type - including yours at [url] - have been disabled.
We understand that a contact form is an important part of your website. As such, we are recommending the Contact Form 7 plugin as an alternative. It is much more flexible and feature-rich, in addition to having better anti-spam technology built in. You'll find Contact Form 7 at [link to site's plugin page]. Visit [some documentation url] for a brief walkthrough of how to set up a contact form using CF7.
We're very sorry for this inconvenience. If you need help setting up a new contact form, please reach out to the Commons team at [email or url], and we'll be glad to provide assistance.
Contact Form 7 has some decent Getting Started documentation, which we could link to: https://contactform7.com/getting-started-with-contact-form-7/ We could also perhaps offer our own Help page that summarizes the process, which might then point out to more detailed information.
Any thoughts or suggestions about the strategy or draft I've posted here? Adding Scott and Marilyn as watchers, for thoughts on the documentation/support aspects.
#3 Updated by Matt Gold almost 3 years ago
Thanks so much, Boone. The only thing I'd add to your excellent draft is something pointing out that Contact Form 7 can be added to their site through Dashboard > Plugins
You can install Contact Form 7 from the plugins section of your site's dashboard. More information about Contact Form 7 can be found at [link to site's plugin page]. Visit [some documentation url] for a brief walkthrough of how to set up a contact form using CF7.
Otherwise, this is great. thank you.
#5 Updated by Boone Gorges over 2 years ago
Got another report that this was happening, so I had to refine the technique used for stopping emails: https://github.com/cuny-academic-commons/cac/commit/0e527cafc700a357b8b5e0db19deec6aa43d6f8e