How It Is

Not Mailbag: Where Contact Forms Fail

Protecting yourself from abuse and harassment in comment forms seems to be a white whale.

My friend Andy, reading last Friday’s post, remarked no one should have to put up with crap like that. He’s right, and I mentioned that most contact forms don’t allow you to filter via your WordPress blacklists or comment moderation settings.


You should be.

Back in March 2014, I raised this with Jetpack, saying that the Feedback ignores Blacklists.

You have a moderation list and a blacklist.

You have a user you want to block from commenting forever. You add them to the blacklist. Surprise! They can still use the feedback form!

This should behave just like the blacklist on comments: It blackholes them. Done and gone. After all, you didn’t want them around.

Logically I can see why it doesn’t use the comment checks. If you have a check to only let users who have an approved comment, leave more comments freely, this would be a problem. There’s no ‘pending’ value for feedback.

And the first reply … Well it made me mad back then. I say this as someone who is good friends with the fellow who commented, but back in 2014, I wanted to smack the back of his head.

This would be super easy to get around, just changed the alleged from email address. Besides, blacklist tends to be things that shouldn’t be displayed publicly automatically, allowing contacts would let them appeal the blacklist.

I could see grounds for adding a filter to have grunion follow the commenting blacklist though. Less sold on an admin option.

Now go back and read last week’s post. I have not blacklisted the rather vile word used in that comment because I have a friend who is dyslexic and often says ‘cuntry’ instead of ‘country.’ It’s an honest mistake on her part. We added in an autocorrect to her phone and tablet. But blocking short words is hard. Still. The IP address? You bet that hit my blacklist.

If I still had a comment form, that moron could still harass me.

As I replied to George:

Sure, and it’s just as easy to get around the current blacklists in WP. The point is, though, if you’ve put someone’s email on your comment blacklist, the assumption can be made that you have a good reason. You DON’T want this person commenting on your site, so why are you making it easy for them to harass you? And yeah, I used ‘harass’ intentionally.

Certainly I can and do block their emails on the server, but I still have to go in and clean out the messages in feedback once and a while, and I for one get a lot of pretty vile garbage from people. So having one less place to have to read their BS would be beneficial.

It’s always been relatively easy to work around if you’re a dedicated troll, but if the blacklist just blackholed their contact messages, it does a lot for your mental health.

Because he’s right that a dedicated asshole will work around the blacklists. They do it today. Still, I feel there’s no reason to make it easier for them. And while I can block from a server level, not everyone has my skills. And for those people, should we not introduce Akismet level scans on feedback forms?

You see, the reason I was mad at George back then is his argument felt like he was saying “since it can be worked around, this is a bad idea.”

That is absolutely not what he meant.

Even if I didn’t know George well, I have simple proof he didn’t think this was a stupid idea, he thought it was an idea that begat caution. What proof? He didn’t close the issue. In fact, he gave it a milestone to review.

Now, sadly, it’s been two years with no traction. Every so often someone bumps the milestone, which means it’s among the 600+ tickets that need attention. But it lingers. It’s not a priority.

Jetpack and Akismet are both owned by the same company. If you have the Akismet plugin installed and activated, and have an active subscription, every form submission will be checked for spam.

They need to take it to the next level. So do all forms plugins. From what I can tell, Ninja Forms has a field simple spam prevention but no blacklists. Gravity Forms has an old, not-updated, 3rd party plugin for a Gravity Forms Email Blacklist.

In fact … the only contact form plugin I could find that actually uses WordPress’ built in blacklist would be Takayuki-san’s Contact Form 7.

Let us protect ourselves from abuse.

One reply on “Not Mailbag: Where Contact Forms Fail”

Reading this article, I just thought of a startup idea, like TrueCaller, we can have a “verified email” or “not-spam” database of email ids. One can opt-in or opt-out of it. Something like identity management, how Gravatar does, but with ability for blogs/portals/etc. to signup and manage their own list of spam/blocked users out of this list of globally verified people.

It’ll be open and linked with an API, so that any commenting/forms/registering/etc. functionality can cross-check, first for a global “spam” list and then (if) that particular domain/sub-domain has a “blocked list”. Will have to be a community effort involving the giants.

Whoo! too much loud thinking, eh!

Comments are closed.