Thread Starter
jhebb
(@jhebb)
This is with math captcha in place. Have tried honeypot as well, with no success. If they are able to submit the form without even being on the same page as the form, that is not good.
Thread Starter
jhebb
(@jhebb)
Also tags like [_remote_ip] are not working since the single form we have on the site is being submitted without going through the actual form. Is there a way to block this default form that is being submitted?
Any chance that spammers just have your email address used in the form? CF7 just uses the PHP mail function so it’s a fair possibility that your issue is outside CF7, since it’s not grabbing form data. I’ve personally not had spam bypass CF7.
Do you have any sort of security plugin (e.g. Wordfence) to scan your site for vulnerabilities?
Thread Starter
jhebb
(@jhebb)
Thanks for the reply.
Well it’s strange because the SPAM email that is received is the form. The same fields are there, but it is missing information that is in the email section on the admin side. For example in the admin under the section where the form is populated, we have included extra parameters, such as [_remote_ip]. Now when the for is actually submitted that IP info comes through, but it does not in the SPAM emails. This leads me to believe that somehow the form is being bypassed because it has both math captcha and honeypot.
One other item worth mentioning is that the ‘To’ field on the form is not the same address that the spam is being sent to. The spam is being sent to an email address that is listed on the form page, but is not the recipient of the form.
I’ve never experience what you are, but… it sounds to me like your website or server might be compromised; even if it’s not, you’d be well off to explore the possibility. All of the email formatting from CF7 are stored in your database, so if your DB is compromised, the form could easily be mimicked/bypassed.
I’m not sure if you know about the whole Revslider (aka SoakSoak) debacle a couple/few months back. Basically, there was a vulnerability in compromised 100,000s of WP sites that used the revslider plugin or had it nested in their theme. Here is some information on that exploit, as well as a “form” at the bottom of that page that will scan your site to see if it’s vulnerable to the exploit.
Anyway, I’d suggest checking for revslider in your plugins and themes, updating as needed. Then, regardless of whether you have revslider, change your DB password (being sure to also update it in the wp-config.php file of all sites that use the DB). You should also make sure your web hosting (and WP) administrative accounts have secure and updated passwords.
And, if you don’t have a security plugin or anything to protect your site, I’d suggest looking into something of that nature. (Wordfence offers a free version and I’ve been pleased with it so far.)
So, to sum… check your site for revslider (and having all the latest WP and plugin updates), update your passwords, and install something like Wordfence (and run the scan, to check for infections). Maybe I’m way off base, but it seems like a reasonable early step to make.
