SPAM issue

I’d need to know more about the spam:

You’re seeing it in salesforce?
In the admin notification emails?
Both?

The same spammer/content or does it vary?

Can I see some of the spam records?

Did anything else change around the same time?
e.g. did you install or update other plugins, change themes, etc?

Hi Nick,

I’m seeing it in Salesforce, and getting admin notifications as well. All of the spam is different.

The only thing that I did around the same time is update Contact form 7.

I will post some records when I get a chance, probably tomorrow need to find the login details.

We were getting spam for a while before I configured this plugin, and then all the spam stopped. It was going great! And then, it started again.

Thanks for your help so far!

Can I see:

The form this is happening on?

A few of the spam emails?
https://ThoughtRefinery.com/contact

Do you need a log in? or just want to see the site?

Let’s start with a link to the form getting the spam and a few examples and go from there.

ok… ??

The link is: eMoney

If you click “Enquire now” in the top right corner, it’ll come up, OR if you hover over “Contact Us” it’ll come up too.

I’m still trying to get the log in for salesforce from the boss, but I’ll email them to you direct.

Thanks.

Hi Nick,

Apparently no one can find the emails that get sent. Saleforce themselves looked at the code and said that we’re being compromised because of the source code. They said that the capture is able to be seen in the source code, so it’s easy to get spam that way. Is there any way to hide that?

Also is there a way to make the form into 2 columns?

Thanks

Hmmm… I wonder if they are spamming the Salesforce API directly? That would explain the lack of emails from the plugin. How they got your Org ID is a mystery though.

Salesforce themselves looked at the code and said that we’re being compromised because of the source code. They said that the capture is able to be seen in the source code…

The captcha value is never output in the source code… the value is one way hashed to insure that a spammer cannot see it… if they think there’s a vulnerability there I’d love more information on how they think spammers are cracking/seeing it.

RE: 2 Columns
I the latest version, yes, you can use custom CSS to do so using the divs each field is wrapped in, but it’s not a simple matter…

Hey Nick,

Just curious, Salesforce sent me a link that should be able to fix the issue (according to them).

Do you think that would work? and could you let me know how to set it up if it might?

Thanks for all your help.

The plugin itself already has that feature (and the captcha is even stronger protection), but it can’t protect you if the submissions are going to Salesforce directly (as they seem to believe?) as that bypasses the plugin completely.

In this case, you could simply add a custom field in SF and a hidden field in your form, called, say, LeadFromWebsite__c or something, set it to Yes, then ‘filter out’ any lead submissions that don’t have that field set to the expected value.

Or use the existing Lead Source field — which is always set and passed by the plugin. Set it to something unlikely to be submitted by a spam bot, then validate against that field.

Did you ever get this figured out?