WordPress › Support » [Plugin: Fast Secure Contact Form] receiving vCita spam!

yeahwow
Member
Posted 1 year ago #

After updating the plugin I received an email apparently from vCita, with an offer to use their service. After careful consideration it looks like the mail is coming from my own server, but it is crafted to look like it is coming from vCita. Clicking on the unsubscribe link will reveal your email address to vCita, and who knows what they will do?

I strongly object to this tactic. The Fast Secure Contact Form plugin is really really good and I am a big promotor of the plugin, but this makes me wonder if I should start using something else.

I will start by not updating the plugin on my other sites.

http://wordpress.org/extend/plugins/si-contact-form/
crudhunter
Member
Posted 1 year ago #

See my post on the same topic. Your email address(es) have already been sent off to vCita. So will any new email address you enter to have form data sent to. With your blog address and name.
yeahwow
Member
Posted 1 year ago #

Hi Crudhunter,

I saw your post on the same subject. It really offends me what is happening with my (until today) clean email address. Installing a plugin on a site you have built with great care needs trust. You need to trust the author of the plugin. So far Mike has done a great job, he created a great plugin, he gave great support so he earned a lot of trust. This vCita thing is not a trust-building action, to say it mildly.

I still hope he will soon come with a message that he made a big mistake in going into business with vCita and that the plugin will be freed of this sort of thing. The last thing I need is a plugin in my website that can't be trusted. If Mike feels he needs to make more money, why not make it a commercial plugin?

In the meantime I will have to look for an alternative, as I have no intention op updating my other websites and have the same result.

Any ideas someone?
crudhunter
Member
Posted 1 year ago #

I agree with you there.. Mike have a great plugin. Great work as I also stated in my other post. Until the connection with vCita.

I am personally OK with having vCita as meeting functionality (or better a service that does not take advantage of the connection by hooking themselves into my sites to use my system as a Spam sender).
I don't mind Mike making some money from hooking up people that want such a service either. Good for him.

BUT. It should be a non-default. No handing off random email-addresses to the meeting provider by default. If I were to sign up for a meeting service I would NEVER have used the email address I created for the contact form. They are assuming that this is an email address for public consumption, that I would want meeting requests on.

Also, it should be clearly documented up front what the side-effects will be both Spam and Privacy wise if one (as a personal, actual decision) enable the functionality in a plugin.

vCita's method of abusing the connection seems very backhanded, when used on someone that never voluntarily signed up for their services or voluntarily gave them these multiple email addresses.

Why I would want my sites to start picking up Spam from someone else's server in the middle of the night when am sleeping is beyond my comprehension. My server mail-logs clearly show that my web-server (apache user) started distributing Spam both at 2:50 AM and 3:00 AM, naming vCita as the culprit. Those timestamps matching my every 10 minute cron-job to call on wp-cron to refresh caches and assure scheduled postings.
Mike Challis
Member
Plugin Author
Posted 1 year ago #

Hi this is Mike. Please give me some time to review your concerns and address them in the best way, make changes as needed. I have a daytime job so please allow me time to work this out in due course.

Thanks,

Mike
yeahwow
Member
Posted 1 year ago #

Hi Mike,

Thanks for your reply. I will wait for your reaction. I was soooo dissapointed. You have such a great plugin and it is such a pity to see things going like they do...
Mike Challis
Member
Plugin Author
Posted 1 year ago #

Sorry for any inconvenience.
Here is a little explanation about the issue:
I have recently partnered with vCita to enable Fast Secure Contact Form new optional capabilities such as meeting scheduling, video meeting, phone conferencing and collecting payments. There are thousands of Fast Secure Contact Form users who chose to add vCita to their contact form and many of them use it for free. You can enable or disable the feature on the form edit page.

This was only a one time limited email announcement message of new features for Fast Secure Contact Form to existing Fast Secure users, letting them know about the new options. The message was sent from the plugin directly, we are not attempting to collect data.
If you do not wish to activate the vCita service, you can ignore this (one time)message and no further messages will be sent to this address.

Here is some info from vCita to hopefully address your concerns:
vCita services never affect existing Fast Secure users and your contact form will never be changed even if you upgrade to a version that has vCita capabilities.
We only enable vCita by default if you are a new user that download the plugin for the first time - so you can see and try the option - and of course disable it not interested.
vCita sends one email to existing Fast Secure users, letting them know about the new options.
vCita complies with CAN-SPAM and if you unsubscribe, we'll never contact you again.
vCita will never share your email address, and never use it for any other service but your contact form.

We definitely want to follow WordPress guidelines and will make some adjustments to be sure we are doing that.
Mike Challis
Member
Plugin Author
Posted 1 year ago #

Thanks for your patience, a new version 3.1.4.1 is just released. We removed the email announcement feature.

We made two other changes to better align with WordPress guidelines:
- vCita is disabled by default.
- Email will only be passed to vCita servers when you choose to enable vCita services.
crudhunter
Member
Posted 1 year ago #

Hmm.

"Sent from the plugin directly".. Yes, exactly. That was the point.
But since the content and structure of those emails does not exist in the actual code, it would have been offloaded from outside.

Every form set up by its default (in 3.1.4 at least) enables vCita and sends them the email contact entered in that form. By the time the form config is displayed and one turns off vCita, it seems to be too late already.

AND YIKES.. I just noticed that the Banner add that is shown at the top of the admin screen also sends ones email address off to vCita, if the vCita banner is randomly shown. (Since there are only a choice between a vCita ad or a ThemeFuse Ad, that would mean 50% of the time the admin screen is reloaded, the potentially changing email addresses in the various forms are shared with vCita.

BTW. The latter is still the case in the new 3.1.4.1 version.
vCita
Member
Posted 1 year ago #

This is Ran from vCita.
I am sorry for any inconvenience caused to Fast Secure users.
Mike has a great plugin and throughout the process of working with us he always put his users at first priority.

Yes, we are a commercial service, just like many other WordPress plugins, but that doesn't make us bad guys or spammers.
1000s of Mike's users would tell you that we offer a great service that complements their contact form perfectly, even if they just use the free version.

We appreciate your feedback. We worked with Mike to release an update within hours to address the concerns mentioned in the thread:
- vCita is NOT enabled by default now.
Therefore your email will not be sent to vCita servers
- The banner ad fills up email address for user convenience and only when the user actually clicks the banner. If you do not sign-up we won't do anything with this email. Anyway - we'll work to remove that as well in the next version.

Bottom line - we want the best for Fast Secure Contact Form users and we respect their privacy. We will continue to work with Mike to bring vCita's value to his users, while not exposing their email address unless they choose to.
sqhk
Member
Posted 1 year ago #

Thank you, crudhunter, for discovering those disturbing issues, and for revealing the ugly practices going behind our backs. Your posts were an eye-opener for me, and probably for everyone else who read them! As a loyal user of Fast Secure Contact Form, I am DISGUSTED and OFFENDED by the turn this plug-in is taking. I only hope that the next version will resolve those issues completely, or else I will be abandoning this plug-in, and I will be advising my friends to do the same.
yeahwow
Member
Posted 1 year ago #

Hi Mike,

Thank you for your quick reply. The magic word in using a plugin is TRUST. As a plugin user, selecting a plugin for a certain function, you ask yourself if the plugin author can be trusted to create a well written plugin that doesn't break your website, and you ask yourself if the plugin author can be trusted to update the plugin when needed and provide some form of regular service.

Over the years you have really earned that trust. You have written a fantastic plugin that is downloaded over 2 million times and your service was really very good.

But... everything that happened with this vCita code has not helped to sustain that trust. And the way it works out now, by first getting a new update out there, and then hearing from crudhunter that a new backdoor e-mail sending piece of code behind a banner has been introduced is not helping either. One tends to wonder what else is in the code that has not been found yet.

I understand that you want to make some $$, and maybe a lot of $$, from cVita. There is no problem there. I understand that fully and you deserve it. But why this way? Why not make a seperate plugin for vCita and have your plugin work with that. Why clutter your code with this vCita function if it is only used by 0,2 % of your users and if it upsets your other users?

You wrote:

This was only a one time limited email announcement message of new features for Fast Secure Contact Form to existing Fast Secure users, letting them know about the new options. The message was sent from the plugin directly, we are not attempting to collect data.

Then why was this e-mail crafted the way it was? With a link to the vCita website to "unsubscribe" from the service...

Furthermore you write about vCita and how nice and well-behaved these people are. That is all good and well, but why should I trust them that they won't abuse my email address? Because they say so? Trusting them would have been a lot easier if they made another introduction, not by spamming me through your plugin. I understand that the mail I received has been a collaboration between you and vCita.

I hope this is all a one time only mistake and that all will be corrected in the following update. I also hope you realize that, at least in my opinion, the tactics that were used, and are still being used, are not in accordance with WordPress guidelines, and are not helping you to further the succes of your (until yesterday) great plugin.

I trust you will take all this to heart and do the right thing. I'm looking forward to your next message/update.

I wish you all the best and hope you make a lot of $$ with this plugin. It would be well deserved. But please, please find another way to do that, so I can confidently keep using the plugin. There are a lot of good examples out there that work really well, and that don't violate user-trust.
crudhunter
Member
Posted 1 year ago #

yeahwow,

To be fair. The issue I mentioned of the Banner link passing off email was not a new issue introduced.

The vCita ad banner was always setup so if you clicked on it, the URL would pass your email-address as a parameter to vCita. Most likely to pre-fill a sign-up form. For "user convenience" as Ran called it.

I think that in the hurry to fix some of the issues and get the 3.1.4.1 version out there, Mike probably just did not notice that additional issue, so it still showed in the new 3.1.4.1 version of the plugin.

BTW.. I think your idea of adding hooks in the plugin to allowing the install of a separate vCita add-on is a great idea. That would separate the issues entirely. A clean contact plugin, with a separate "Meeting" add-on people can choose to install.
yeahwow
Member
Posted 1 year ago #

@crudhunter
OK, thanks for clarifying the banner issue. If I accused Mike wrongly of introducing a new backdoor I apologize.

Let's wait and see what happens. That is what I will be doing right now. I want to trust Mike and keep using the plugin, but something has to be done and corrected.

The seperate vCita plugin would be the best way to go, I guess, but that is up to Mike and vCita. I'm waiting to see what happens...
yeahwow
Member
Posted 1 year ago #

@Mike

Just a thought:

If you looked at a plugin that said in the description:

This plugin may, upon installation or if you accidentally check the wrong check box, send your email address and perhaps some other private data to a bunch of really nice guys that promiss not to use that information.

Would you install that plugin?
admintiger
Member
Posted 1 year ago #

I also am extremely disgusted and disappointed by this. I have the Fast Secure Contact Form plugin installed at three sites. The email addresses at two of those sites previously received spam, but the address at one site was known only to a couple people and never received any spam whatsoever until this affair. Now it is trashed.

There is nothing wrong with trying to make money with a commercial venture, but there is a lot wrong with taking advantage of trust. If you want to help market vCita, you should do it in ways that don't mislead and that don't steal data from people who have trusted you and considered you a friend. I suspect your donation income will drop by far more than you receive from vCita.
Mike Challis
Member
Plugin Author
Posted 1 year ago #

The email feature is removed already, a new version was released to address this yesterday. No more emails will be sent. We apologized for any inconvenience. Please stop going on about it. We will even make some more adjustments next week as needed, but is a weekend. It takes time to make and tests changes so as not to cause any errors in the form functions....
The issue in the title of this thread is resolved, I am marking the post as resolved. Thank you.
crudhunter
Member
Posted 1 year ago #

Hmm..

OK with me.. I will certainly "stop going on about it", as requested, since apparently the creators think we are all just weird to care about "hidden features" and spamming.

To "stop caring", I have just "fixed" the problem. I moved my contact pages to an alternate plugin, Contact Form 7. Works beautifully, has a ton of add-on plugins for extra functionality if needed, 6 Mill+ downloads, and it took me only about 5 minutes to swap into my pages.

So.. No need to fix anything from my perspective. I am out.
Mike Challis
Member
Plugin Author
Posted 1 year ago #

Just a follow up. I just uploaded a change to remove the email address from the vCita banner URL. All it did was help fill in the email field on the page, but removing it will ease any concerns about other possible uses.
yeahwow
Member
Posted 1 year ago #

@crudhunter
Totally agree. I'll look into Contact Form 7 as well. It is a pity that things went the way they did. I sense no urgency about what happened. Best of luck!

@Mike
I have thought about this for a few days.
You set this thread to "Resolved", which in a literal sense is correct I suppose. I don't want to "go on about it", but I think the importance of what happened is bigger than FSCF. So I will open a new thread (in this part of the forum, although I feel it needs a broader public attention) about the current implementation of vCita in FSCF. It is not my intention to put you down in any way, but I think it is good to get to an understanding of where the limitations are with what can be commercially done in a plugin. This is not only important for the users of FSCF, but for the WordPress community as a whole. FSCF / vCita is interesting to discuss.
I can understand why you would want to stop the discussion, so I am sorry for "going on about it".
dmitric
Member
Posted 1 year ago #

Mike,
it's a great FREE plugin and thank you for the vCita addition.
People tend to forget about the price they paid for the plugin. At the end of the day Mike needs to eat too and those who concerned about "trust" need to pay for their own plugin custom development to avoid any affiliation with vcita or hostgator or bluehost or whatnot. Sheesh..I for one am happy with the plugin and happy with the vcita implementation!

Cheers!
bob1a
Member
Posted 11 months ago #

I love Fast Secure Form, and use it everywhere. But I tested vCita once, removed it but it seems to be almost spider-like. It has gotten itself into my server and I cannot get rid of it even though the plugin is removed. Worse, each time I install Fast Secure Form even on other sites, with unique databases, it appears integrated into Mike's great script. In the form editing page, I still have a vCita panel and do not want to have vCita on my server at all. How do I get rid of this invasive thing? Sorry guys, but vCita is more like a virus than a plugin. I've never seen any plugin or service spread out across domains, WP installs, databases etc. like this and candidly it's just wrong. Please help me remove it.
vCita
Member
Posted 11 months ago #

Bob,
We have a vCita option in Fast Secure and a growing number of users who find this very helpful.
We understand vCita is not useful for every Fast Secure Contact Form user though, and we worked with Mike to make sure it's easy to disable vCita.
Actually - it is not on by default anymore based on requests from this community.

I'm sorry you feel we're like a virus. We do not spread, or have any information on your domain or WP server - you can see that by looking at our code.

Ran
PrettySickPuppy.com
Member
Posted 3 months ago #

I just installed FSCF, and one thing I noticed was at the top of the Plugin (for Settings) was this Red & Pink (warning?) banner that stated "Fast Secure Contact Form - You still haven't completed your Meeting Scheduler settings. Click here to learn more, or Dismiss."

I first chose to "Click here to learn more" and it went further into setting up cVita for use, and did NOT contain information as I expected to Learn More... What it really did was to seek information for a cVita account and/or setup (Email address, etc.)

I firmly believe that it SHOULD NOT SAY "Click here to learn more" but instead say, "Click here to SETUP the use of cVita" and also to have "Click here for more info on cVita" to truly provide information on cVita.

I then backed out (Backspace or previous page) and then chose "Dismiss". My thought was that it would dismiss the Red & Pink (warning?) message. I was pleasantly surprised that this actually INACTIVATED cVita. Intuitively, I thought it should have dismissed the Red & Pink (warning?) area and nothing more.

If "Dismiss" is going to DISABLE cVita, then the text should read as such: "Dismiss and Disable the use of cVita".

I had researched FSCF before installing it and knew I did not want to use or enable cVita at this time. The Red & Pink (warning?) only confused me and when clicking on the current two (2) options, I did NOT get what I expected as they are currently written/described in context.

Just My Two Cents,

Chris (aka PrettySickPuppy)

PS ~ You really, REALLY have the Mother of all Contact Form Plugins. Great Job, Mike. And user comments do help. I depend on them myself for things I've written/created in the past. I've only recently became a WP convert and believe WP and the multitude of Free and Premium plugins for it just about addresses every need or whim one could want. (Sites are either a Blog, eCommerce, Magazine, or a Portfolio of some sort, and WP covers it all!)