Support » Plugin: cformsII » Still receive spam through cformsII

  • Resolved vergellan



    We use CformsII on our website in conjunction with Really Simple CAPTCHA but still receive spam emails. There is no {Page} property (only slash character) in these messages , so it seems spammers forward direct POST-requests to plugin`s mailing files. Does CformsII check the “http_referer” before sending mail or something like that?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author bgermann


    The page property set to / implies that your form is sent from your homepage (/). Is the form available there? For better spam protection you could use Google recaptcha. Just search for it in the forum.

    Thanks for the reply.

    We use this CformsII form as a widget in the sidebar. When I test it from the mainpage – Ive got the message with the {Page} property contains the domain name of the site, so it is not very clear where slash character comes from. I also do not really think that the using of Google recaptcha can change the situation, because when we used the text Q-A captcha as well as when we used a graphic Really Simple captcha the spam emails came from the same IPs. Therefore, I would like to understand whether it is possible that the spammers can use direct requests to the plugin`s mail files.

    • This reply was modified 10 months, 1 week ago by vergellan.
    Plugin Author bgermann


    The {Page} property originates from $_SERVER['REQUEST_URI'] (for non-AJAX forms) or from $_SERVER['HTTP_REFERER'] (for AJAX forms). The spammers can obviously at least control the HTTP referer on sending an HTTP request to your form. cformsII does not check the value for plausibility (because I cannot easily predict it), but filters it on output (e.g. in the email).

    You could use a the cforms2_after_processing_action to check the referer and throw an exception if it is not matching an expected value. cformsII catches the exception and reports a form validation failure.



    Thanks for your advice, looks like it’s working.
    I have put a check of $_SERVER['HTTP_REFERER'] in add_action(‘cforms2_after_processing_action’, function ($cformsdata) {…} section.
    But I think I found an error in the file lib_validate.php on line 799.

            if ($cformsSettings['form' . $no]['cforms' . $no . '_emailoff'] == '1') {
                $sentadmin = 1;
            } else {
                // This filter allows manipulation of the admin email just before sending
                $mail = apply_filters('cforms2_admin_email_filter', $mail, $no, $pid);
                $sentadmin = $mail->send();

    When we catch an Exception from do_action(‘cforms2_after_processing_action’, $trackf) this loop does not take into account the $sentadmin = 1 value from the Exception and still send an email to admin.

    • This reply was modified 10 months ago by vergellan.
    Plugin Author bgermann


    You are right, I will fix this for v15.0.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Still receive spam through cformsII’ is closed to new replies.