Akismet: Spam comments are added to Subscriptions

[IvanRF]

I just received one Spam comment detected by Akismet and the plugin added an entry in the Subscriptions with Delivery = weekly (default is daily) and Status = unconfirmed.

Mail Queue and Event Log is empty, maybe because in my WP settings all comments must to be approved.

So, luckily the confirmation mail was not sent to the Spam account (is what I guess from the log). However, I don't like the idea of having to remove an entry from Subscriptions every time I get one Spam.

[IvanRF]

I just sent a confirmation to myself and it was not present in the Queue Log, so I have no way to tell if the plugin sent or not a mail to the Spam account.

[raamdev]

I just sent a confirmation to myself and it was not present in the Queue Log, so I have no way to tell if the plugin sent or not a mail to the Spam account.

Yes, there's an issue for that open here: https://github.com/websharks/comment-mail/issues/196

I just received one Spam comment detected by Akismet and the plugin added an entry in the Subscriptions with Delivery = weekly (default is daily) and Status = unconfirmed.

Hmm, that shouldn't happen. If Akismet flags something as spam, Comment Mail should be ignoring it. Marking this as a bug that needs testing.

[IvanRF]

Hmm, that shouldn't happen. If Akismet flags something as spam, Comment Mail should be ignoring it. Marking this as a bug that needs testing.

I currently have 6 spams, and they were not added in Subscriptions. So, it is working.

The strange thing is that Delivery was set to weekly, so maybe this was a real comment (not bot) marked as Spam by Akismet. When I had this issue I didn't realized I had 2 pages of spam and I emptied all, so if it was a real comment I lose it. Nevertheless, it should not have been added. If I face this again, I will include more details.

[raamdev]

@IvanRF Great! Thank you. I was just reviewing the code and I see that Comment Mail should already be obeying Akismet, so I'm not sure how an Akismet-flagged comment would have a subscription created by Comment Mail.

I'll leave this GitHub issue open for now, pending any future feedback.

[IvanRF]

This happened again. This time I know the confirmation mail was sent from the Email log data.

The IP 178.137.93.120 is from Ukraine.

[IvanRF]

I use Wordfence but I don't know if they send emails to Spam too. This is from Wordfence log:

[Mar 13 08:58:42] Scanning comment with Author: flqlplqo Email: yealiw@bjjxxe.com Source IP: 178.137.93.120
[Mar 13 08:58:42] Checking 7 host keys against Wordfence scanning servers.
[Mar 13 08:58:42] Done host key check.
[Mar 13 08:58:42] Scanned comment with Author: flqlplqo Email: yealiw@bjjxxe.com Source IP: 178.137.93.120

[IvanRF]

@raamdev some more proofs. I just emptied the Spam comments and there are 3 subscriptions still there:

Event Log:

[IvanRF]

I just checked the Subscriptions table before deleting Spam comments, and the Subscriptions are added for Spam comments.

Spam comments

Subscriptions

[raamdev]

@IvanRF Thanks for the additional info. It looks like this needs more testing on our end.

[gretlouise]

I am receiving "Mail delivery failed: returning message to sender" emails for every "confirm subscription" email that was sent to a spam commenter. This is definitely still an issue.

[IvanRF]

Today a bot that has nothing better to do sent 350 spam comments to my site and 294 subscriptions were created for those spam mails. Any news with this issue?

[IvanRF]

@raamdev I noticed that removing a comment which is not spam triggers a subscription removal, but using the "Delete permanently" option from the Spam page does not trigger a subscription removal.

(today I had other 450 spams, I closed comments on that page for now...)

[IvanRF]

Tired of doing this work, I did a research on blocking spam before being marked as Spam and I found this plugin: https://wordpress.org/plugins/wp-spamshield/ So far blocked 250 spams with no false positives. Excellent to avoid all the DB processing that my site was having.

[raamdev]

@jaswsinc It looks like we just need to add the following here:

if($this->comment_status == 'spam')
     return; // Not applicable.

Do you agree?

[jaswrks]

Agree :-)

[raamdev]

@IvanRF I've submitted a patch for this to our dev branch, but if you could test this by modifying includes/classes/comment-post.php#L79 by adding the following, that would be great:

        if($this->comment_status == 'spam') {
            return; // Not applicable.
        }

This is the sort of thing that's hard to test unless you already have a site getting spam. I guess this is one case where we need a site to get some spam to really test it. 😆

[IvanRF]

@raamdev I thought I had this under control with wp-spamshield but they do have false positives :angry: and were blocking some real comments.

So, back to Akismet, I added those 2 lines on comment-post.php and in the last 30 minutes I got 6 spams and nothing went to Subscriptions. Thus, the fix works!

I'll let you know more in the next days, since more spam is coming... :weary:

[raamdev]

the fix works!

Thank you for confirming that! I'll make sure this fix gets pushed out with the next update. Good luck with the spam. 😞

[raamdev]

Next Release Changelog:

• Bug Fix: Fixed a bug that allowed spam comments to create subscriptions in Comment Mail when using Akismet. Props @IvanRF. See Issue #250.

[graylaurenm]

Is there a known date when the version with this fix be released? I have a client with the same problem. Actually, she has 63,637 entries in the subscriptions event log and they are even subscribed?! They are clearly spam emails.

By the way, and off-topic, @IvanRF did SpamShield allow you to work with email replies? We tried Anti-Spam in the past but it blocks Comment Mail email replies.

[IvanRF]

@oncecoupled no idea, as I said wp-spamshield was blocking real comments in my site so I remove it. I manually modified the line which solves this issue in the Comment Mail code for my site.

[raamdev]

@oncecoupled A release candidate was published a few days ago that includes the fix described here (see announcement). We usually publish a general availability release a week or so after the RC (to give us enough time for testing). Thanks for your patience!

Note: If you'd like to be notified about release candidates, please sign-up to be a beta tester here.

[raamdev]

Comment Mail v160618 has been released and includes changes from this GitHub Issue. See the v160618 announcement for further details.

---

This issue will now be locked to further updates. If you have something to add related to this GitHub Issue, please open a new GitHub Issue and reference this one (#250).