CF7 spam getting through

[AdamGilchrist317]

Since Zero Spam was updated to v5 I've had spam coming from the Contact Form 7 page at http://www.2rf.co.uk/contactme/

Zero Spam has been blocking ip addresses (shown in the log), but it doesn't seem to block spam coming from the above page.

I've added the Flamingo plugin to save the spam - there are some in there now. I've previously emailed you a login.

All plugins and core are current versions, the setting "Stop Forum Spam" is on.

Downgrading to zero-spam.4.10.2 fixes the problem.

Many thanks.

[bmarshall511]

Everything appears to be working as expected:

Looked at the Flamingo log and the 4 entries there all appear to be legit. Those logs don't show the IP address the submission came from, might want to add a hidden field or find another plugin that logs that kinda info so I can look into the IP itself.

I'll come back to this in a day or two to check the logs and see if there's any spam coming or let me know when you see something submitted that's spam.

[rosswintle]

I'm seeing spam coming through on a client of mine's site too.

The form is at https://strongmindresilience.co.uk/contact-us/

It's a WP Forms form.

This screengrab shows some spam entries: https://share.getcloudapp.com/5zuA2dRl

This screengrab shows the content of an entry that is definitely spam: https://share.getcloudapp.com/jkueOYGK

The WP Forms integration is turned on: https://share.getcloudapp.com/bLugZ4X1

Initially I couldn't see the honeypot being output, but then I cleared cache and could see it and tested it by filling in the honeypot and it worked... https://share.getcloudapp.com/X6u97gJn

So I thought it was a caching issue, but then I'm still seeing spam and now I think it's not.

I have:

• WordPress 5.6.2
• WP Zero Spam 5.0.6

I'm seeing nothing in the logs. In fact it says that logging is disabled even though you'll see in the settings screenshot that "Log blocked WP Forms submissions" is checked.

The site is hosted by UK-based 34SP, who run a custom, managed WordPress platform based on nginx. It has some security/WAF type stuff and WordPress runs in a non-standard directory under /wp (the siteurl in wp_options is https://strongmindresilience.co.uk/wp)

They also have some caching with Varnish, I think. But I think I've ruled out caching as a problem here.

@bmarshall511, you have my email address if you want to get in touch to discuss further. I may be able to let you log in to the site and have a look around. I'm happy to add debugging if that will help.

[bmarshall511]

@AdamGilchrist317 This issues is in reference to WCF7 and not WP Forms. I've created a separate issue to track: https://github.com/bmarshall511/wordpress-zero-spam/issues/245

[AdamGilchrist317]

I think the problem may be the definition of spam, and what the plugin is trying to stop. v4 stopped these, v5 doesn't. The emails that you refer to as legit are these:

---

Hey there, I just found your site, quick question… My name’s Eric, I found 2rf.co.uk after doing a quick search – you showed up near the top of the rankings, so whatever you’re doing for SEO, looks like it’s working well. So here’s my question – what happens AFTER someone lands on your site? Anything? Research tells us at least 70% of the people who find your site, after a quick once-over, they disappear… forever. That means that all the work and effort you put into getting them to show up, goes down the tubes. (snip)

Howdy I have just checked domain: 2rf.co.uk for the ranking keywords and saw that your website could use an upgrade. We will increase your SEO metrics and ranks organically and safely, using only whitehat methods, while providing monthly reports and outstanding support. Please check our plans here, we offer SEO at cheap rates. https://speed-seo.net/product/monthly-seo-package/ Start increasing your sales and leads with us, today! (snip)

Following the latest Supreme Court Judgement, businesses that have cover for Businesses Interruption Insurance with 60 companies are due a payout. We have the list of over 700 policies that fall under this category, just visit http://www.businessinterruptioninsuranceclaims.co.uk/policy-checker/index.html and fill out our form for a free policy check and instant advice. Dont worry if your claim has already been rejected, our expert legal team is challenging insurers on behalf of our clients. We have thousands of businesses using our NO WIN, NO FEE service. (snip)

These don't look to me to be anything other than spam.

The ip addresses are in the emails, flamingo saves the submission rather than the output. Recent spam ip addresses:

194.36.98.47 84.17.51.123 192.3.103.245 104.254.92.197

[bmarshall511]

The message above does not appear in the Flamingo logs. The entries that I can see all seem legit.

I checked those IPs, the last 3 show up in Stop Forum Spam blacklist and should have been blocked. If they weren't it's likely the confidence level setting is too high. Try lowering it to see if that fixes your problem.

[AdamGilchrist317]

The messages are all in the flamingo logs (I've just put the first paragraph here for brevity).

I'll change "Stop Forum Spam Confidence Minimum" to 10, and see if it helps.

Thanks.

[bmarshall511]

@AdamGilchrist317 I've verified the following IPs do get blocked when Stop Forum Spam is enabled and the confidence level is at the default 30%. If they got through it either Stop Forum Spam wasn't enabled originally or another plugin/theme is interfering with WordPress Zero Spam.

84.17.51.123 192.3.103.245

You can test yourself by enabling the Debug option then entering the IP of a user. When logged out and visiting the site, you should be blocked when using a known malicious/spam IP. If those IPs are still getting through, disable other plugins and switch to a core theme to determine if something else it interfering with the plugin's functionality.

Closing this for now since I'm unable to reproduce and have verified everything is working as expected. Will reopen if more info is provided where I'm able to reproduce the issue.