Serious bug in wp-spamshield.1.9.8.5

No your new version (1.9.8.6) didn’t work. It’s still blocking Amazon SNS.

v1.9.8.4 was the last one that worked.

I have been through all of your troublshooting guide and FAQ steps and will submit a Support request.

Thanks for the update. Works fine.

However this experience leaves some lingering concerns though.

Obviously Spam-Shield is sensitive to such things and is blocking more than just spam form submissions. I was lucky I found SpamShield was the problem. And that was after 3 days of frustration and digging in all corners to find what was the problem as there are no warning about such things being blocked by Spamshield and one is led to believe that only form submissions are blocked.

Blocking spam form submissions is one thing, blocking transaction requests, like Amazon SNS bounce notifications, is quite another and impact operations that can affect one’s reputation. So:

a) How can we be better alerted that SpamShield is blocking non-form related visits — and what those are, so we can see if there any important ones being blocked?

Yes you have a log, but that is insufficient as it presupposes we suspect Spamshield to start with when we may not even think to look there. Because who knows if there are other transaction requests being blocked — or that may all of sudden become blocked because they are changed and look like spam to Spamshield — and we can’t wait for failures to occur — as some are not acceptable — and then think “ah maybe it’s SpamShield”.

So Spamshield needs to first know/learn what is “normal” for the website before it starts filtering. And then, once it is filtering, it needs to create dashboard and email alerts when something “normal” is all of a sudden being blocked.

b) How sensitive is the patch to changes Amazon may put in their URL requests?

WRT

This is all explained in the plugin documentation, and in the FAQs, and Troubleshooting Guide.

It might be but there’s so much to read, something like this should be made clearer, up top, that more then form submissions might be blocked.

WRT

All WordPress . org plugin use is based on the principle that you take responsibility for your website. We are offering you a free gift, and how you choose to use it is up to you. If there is any risk to your reputation from an element of your website not functioning as you like, then you need to employ a full-time web developer to manage it. Please do not try to assign that burden to free plugin developers. We are merely creating something in hopes it may benefit the community. Keep in mind we are under no obligation to provide support, yet we do so anyway. All responsibility for a website belongs to the website owner, not anyone else.

I think you’re being over sensitive rather than taking my comments in the spirit they are made. SpamShield is to be commended not just for their free product, nor for their free and responsive support, but for the seriousness with which they take their users interests — i.e. your zero false positive commitment. What that says to potential users you are a serious developer and are concerned about your users. That inspires confidence and my remarks are in that spirit. Given you are serious about your users, legal disclaimers notwithstanding (even commercial software products have them), my comments were merely to draw your attention that your product has the potential to have serious unintended side-effects, and so I was just pointing out that given the seriousness and confidence with which you respect your users, that these side effects are something that (again legal disclaimers notwithstanding) can impact that confidence in you and so was bringing them to your attention so you are able to see if there is a way to mitigate them — better for you, better for your users.

WRT

Logging is included in the plugin. It is explained in the documentation that the plugin blocks many types of spam. FAQs cover what to do if something was blocked that you believe should not have been.

As I said that presupposes we even think to look at Spamshield as a source of the problem. So I made a suggestion.

WRT my suggestion, I understand you are blocking only bad requests, but until a user actually uses your plugin he’s not got its benefit. So what I’m suggesting is something along the lines of a “grace learning period” on installation where the plugin learns what is normal (with some user input) and what is not, and then if some request from a trusted source (like amazon) all of a sudden gets blocked as spam, the user can be alerted. So there is “acceptance” of a certain amount of error, but rather an alert system for the users given the blockages can be more serious. Again better for you, better for the users.

There are probably may variations on how to do this, but I’m simply suggesting a way for the user to be alerted when something changes and “normal” sources all of a sudden get rejected. Say for example like Amazon changes its API call, then knowing that amazon was a trusted source and not it’s not meeting the specs, you could alert the user this source has changed and is being rejected.

Correction to my post:

“So there is “acceptance” of a certain amount of error …”

Should be:

“So there is NO “acceptance” of a certain amount of error ..”

Well I don’t mean Amazon.com per se (Amazon SES/SNS have different domain/subdomains) but Ok I see your point. It was just a suggestion and perhaps there’s another way to do the “learning” concept. I’m just thinking how, perhaps with some user input, key transaction sites can be flagged so if they start getting blocked, the user is advised. But you’re the experts and will know if it’s feasible or worthwhile.

BTW could this new version be blocking and/or confusing legitimate browsers?

On my iPhone 4s running iOS 9.1, I’ve noticed in the past day — since installing the new version — some strange, random browser responses when browser page refreshes. This was when Safari did the refresh itself when you come back to the tab in the browser. You would see the blue bar progressing across the top as the refresh starts, and then it would sort of flash and start again and I could tell something had gone wrong.

Several times yesterday I got a 404 response and when I look at the URL it was this strange thing:
http://ismailidigest.org/&arubalp=692a19dd-7690-4bdc-9391-76c1905d28

Does “&arubalp=692a19dd-7690-4bdc-9391-76c1905d28” mean anything to you?

It was the exact same URL every time. I thought it might be the browser cache so I cleared it and it seemed to go away.

Now today several times when I refreshed the page, or Safari did, I just got a totally blank page, with just the website’s background colour.

I’m only seeing this on iPhone so far. Until yesterday I had never seen any of this.

I’ve turned on “Disable anti-spam for miscellaneous forms.” and will watch for a couple of days to see if it gets better and the try it the other way.