Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: email

  • Stopping Jerks in Ninja Forms

    Stopping Jerks in Ninja Forms

    I don’t have a spam problem, I have a jerky people problem. I have people who, no matter how many times I explain I cannot help them, or I don’t want to talk to them, will continue to email.

    Right now, I have some absolute weirdo in Europe who emails me every day via a contact form. I don’t know what the heck he’s thinking, but I do not need advice about how to live my life nor can I help him talk to a celebrity. The problem though is I can’t delete the form. I can (and did) set his email to auto-bin via my mail server, but he still fills the form in and I am just tired of cleaning this up.

    This site happens to use Ninja Forms, and really what I want to do is auto-cycle his emails to the bin so he can rant all he wants and never knows I don’t see a thing.

    (Note: This is not the same person as my serial harasser.)

    Warning: Their Documentation is Rough

    The biggest headache to all this is the fact that Ninja Forms’ documentation kinda sucks. For example, you cannot search their ‘codex‘! That’s just basic level for a documentation service, and on top of that if you try googling, it wants to send you to the non-developer pages.

    Now to their credit they know this:

    Admin note: we have not been able to give this site the attention it needs or deserves for a while. Most of the Codex documentation is still applicable, but please be aware that you will find some outdated material here that will need to be adapted for Ninja Forms in its current, more modern, state. 

    But that doesn’t make it really any better for me today, and it’s been like that for a while.

    Which means thinking “I can search for how to auto-flag a submission as spam/trash!” is impossible. It doesn’t work, it doesn’t exist in current NF format, and it’s a pain to the point that I seriously considered dumping the whole plugin over this!

    Folks. I know documentation is incredibly hard, but if you want people to make plugins to extend yours, and thus help make you even more popular, hire someone to do this. It’s only gonna get harder as time goes on.

    The Initial Code

    The first step is, of course, can I even do this, and of course I can:

    <?php
    /**
     * Prevent anyone from my blocklist from spamming me.
     */
    
    // Exit if accessed directly.
    defined( 'ABSPATH' ) || exit;
    
    
    class FLF_NinjaForms {
    
    	/**
    	 * List of disallowed emails
    	 *
    	 * We omit anything that isn't an email address or has an @ in the string.
    	 *
    	 * @return array the list
    	 */
    	public static function list() {
    		$disallowed_emails = array();
    		$disallowed_array  = explode( "\n", get_option( 'disallowed_keys' ) );
    
    		// Make a list of spammer emails and domains.
    		foreach ( $disallowed_array as $spammer ) {
    			if ( is_email( $spammer ) || ( strpos( $spammer, '@' ) !== false ) ) {
    				// Anything with an @-symbol is probably an email, so let's trust it.
    				$disallowed_emails[] = trim( $spammer );
    			}
    		}
    
    		return $disallowed_emails;
    	}
    
    	/**
    	 * On load.
    	 */
    	public function __construct() {
    		add_filter( 'ninja_forms_submit_data', array( $this, 'comment_blocklist' ) );
    	}
    
    	/**
    	 * Ninja Forms: Server side email protection using WordPress comment blocklist
    	 * https://developer.ninjaforms.com/codex/custom-server-side-validation
    	 *
    	 * @param array $form_data Form data array.
    	 * @return array $form_data email checked form data array.
    	 */
    	public function comment_blocklist( $form_data ) {
    		$disallowed = self::list();
    
    		foreach ( $form_data['fields'] as $field ) {
    			// If this is email, we will do some playing.
    			if ( 'email' === $field['key'] ) {
    				$email_address = sanitize_email( strtolower( $field['value'] ) );
    
    				// Break apart email into parts
    				$emailparts = explode( '@', $email_address );
    				$username   = $emailparts[0];       // i.e. foobar
    				$domain     = '@' . $emailparts[1]; // i.e. @example.com
    
    				// Remove all periods (i.e. foo.bar > foobar )
    				$clean_username = str_replace( '.', '', $username );
    
    				// Remove everything AFTER a + sign (i.e. foobar+spamavoid > foobar )
    				$clean_username = ( false !== strpos( $clean_username, '+' ) ) ? strstr( $clean_username, '+', true ) : $clean_username;
    
    				// rebuild email now that it's clean.
    				$email = $clean_username . '@' . $emailparts[1];
    
    				// If the email OR the domain is an exact match in the array, then it's a spammer
    				if ( in_array( $email, $disallowed, true ) || in_array( $domain, $disallowed, true ) ) {
    					$form_data['errors']['fields'][ $field['id'] ] = 'Error: Invalid data.';
    				}
    			}
    		}
    		return $form_data;
    	}
    
    }
    
    new FLF_NinjaForms();
    
    

    This code takes the email, strips out any periods (since Google allows you to put those in anywhere in your username) and then also removes anything after a + sign (since… Google lets you add in random whatever after a + sign) and builds a sanitized email. Then it checks that email on my block list. It also checks if I banned the domain.

    The Problem

    The only problem?

    				// If the email OR the domain is an exact match in the array, then it's a spammer
    				if ( in_array( $email, $disallowed, true ) || in_array( $domain, $disallowed, true ) ) {
    					$form_data['errors']['fields'][ $field['id'] ] = 'Error: Invalid data.';
    				}
    

    That tells them “Error: Invalid Data” for the email. Which will suggest to them to try something else.

    I don’t want that!

    So I thought what if I changed that error to this:

    $form_data['fields']['is_spam'] = true;
    

    Which sets a new field for me! Is spam.

    The only problem? Well I thought I could use that with ninja_forms_after_submission to then say “Submission is in but we are going to treat it as trash and not email it.” Ever tried to look up ‘don’t email Ninja Forms’? Or any form? Yeah, all you get it help if Ninja Forms isn’t sending email.

    Then I thought I could set it as actual spam, but Ninja Forms has the most useless advice:

    If you’ve used all the methods above and you still receive spam submissions, maybe it’s time to change your hosting provider. Ideally, they can help you minimize spam and provide you a web application firewall to keep those spambots off your website.

    My host isn’t the issue. This jerk is. And both Jetpack and Gravity Forms have an _is_spam filter/action you can hook. I find it very odd that native mark-as-spam isn’t a think in Ninja Forms, and honestly it’s putting more fuel to the ‘change tools’ fire. This is some basic stuff, ain’t it? If you can hook into Aksimet and have it catch spam, why can’t you mark as spam and send that data back to make everyone’s life better?

    Is this the end?

    Well. For now it is. For next it’s not. I think the real answer will be to create an action like they have for Akismet, and in there rebuild my spam tool.

    Maybe as a plugin for all.

    But for right now, I actually turned off the forms entirely. No more contact form. The only person really using it was that yahoo, and instead I have the email address up there for now. Likely I’ll go back to Jetpack for a while, or maybe write a whole, complex, add on plugin. Later.

  • Email Verification and Unsubscribing

    Email Verification and Unsubscribing

    If you follow me on Twitter (no you probably don’t want to), you know I’ve been dealing with the messy technical side of death for around 2 years now. My father died, unexpectedly, and I picked up his digital life and dropped it on my laptop in order to untangle things. While my father had shared his login information with me before, I did run into a number of technical issues like needing the phone for an SMS confirmation when I logged in from a new location.

    Now all that said… Here’s the technical problem a LOT of companies created for themselves.

    1. They don’t require you to verify an email before sending you advertisements
    2. Those emails do not have unsubscribe links

    Yeah, those two things are killing me, smalls.

    Why not delete the account?

    Someone’s thinking this…

    Because the last time someone emailed it, legit looking for my Dad to tell him something funny/relatable/personal, was December 2020.

    Dad was in his 70s. He had a lot of sporadic friends over that time, and sometimes they would randomly think about him and reach out. Many were long-standing friends, some I knew and hadn’t seen since I was in elementary school. He lived in a lot of places. Those people needed to be told he was dead.

    Maybe one day I’ll delete his account and his website, but it won’t be any time soon.

    How to Fix This

    The good news here is all this is fixable if people start caring about data properly.

    See the problem here stems from companies wanting your data. They want it so much that they use any excuse to grab it and never let go. But this is wrong both legally and morally.

    It’s not their data. It is YOUR data, and you should have a right to it. Per the GDPR, UK’s Right of Removal, and even California’s new laws, my data belongs to me, and I have a right (in most cases) to get it off their system. In the case of my dead father? That data is as useful for you as wings on a mongoose. But as his estate’s legal representative, I legally own Dad’s data, which means I should have control.

    Check The Email First

    Anyone who’s signed up for anything online lately knows that you have to opt-in to getting ads. That’s just how the world works now. But you also have to confirm your email before you can use your account fully.

    At the outset, that sounds great, right? It forces people to confirm! The reality though is that by letting people make an account, with or without verification of the email, those companies add the email to their mailing lists. That means that when some moron uses my father’s email to ‘test’ (or because they’re some idiot in the midwest who regularly thinks it’s his email even though Dad made it in the 1990s and has used it since then, seriously buddy, stop it), I get the email. And when they correct the email in the account, they retain access and I keep getting emails that I cannot unsubscribe from.

    We’ll get to the lack of links in a minute.

    The obvious thought process here is “People wouldn’t put in the wrong email!” but the reality? They do. They totally do. There’s a guy who bought a Ford, has a credit line, and a loan from a bank, and I know a whole lot about all this because he is a total idiot who keeps using the email that was my father’s. Seriously. It’s never been his email. The first owner of the domain was Dad. The second is me. The email he used has been in use, by my father, since March 2, 1995. Not joking.

    Now, if you keep along with the (incorrect) thought train, you’d think “Once someone enters their email, I can add it to my mailing lists as I have their consent.” And again, sure. IF the email is actually theirs. And what’s happening is all these sites add in your email to their lists before they confirm (if they confirm at all) that it’s really your email. This means my poor Dad’s email is not just added to an account, it’s added to all their lists as well.

    Let Us Unsubscribe

    The other (related) issue is there’s no unsubscribe link.

    Look, I get it. There are emails that are not unsubscribeable for as long as you have an active account. There are legal reasons why you have to be mailed some things. However all those emails must have a way you can actually close/remove your account. A link would be great, but even an explanation “Hey, we cannot unsubscribe you unless you close your account, here’s how to do that.” would be better than the message from a certain ISP who told me I had to log in to the account… but were unable to provide me with the login info.

    In the case of two separate companies, if you do have to legally send out emails to people because they have an active account, you should be including some information like ‘Your account name is X’ or even ‘Your account number is X’ so that we can have a place to start. Instead, I have a bunch of emails that all say they can’t unsubscribe me while I have an active account, please log in …

    And what do you think happens when I go to log in? Of course ‘There is no account with this email…’

    Which brings me to…

    Let Us Recover Accounts

    It needs to be ‘easier’ to recover account. Especially if someone’s dead.

    Now, I’m not talking about Facebook’s idiocy on locking people out and requiring them to have someone else verify them, only to send another email that bounces and you can never log in. Although that was certainly fun to do with my Dad’s stuff.

    Take a hard look around. People are dying by the thousands per day, and those are not ‘expected’ deaths by any means. This means the number of humans who were unprepared and unorganized are stuck trying to find things like account numbers, and have no clue where to start. If we’re lucky, we can get into their email and change the passwords so we can keep it but…

    This is not actually very easy! The only reason I had Dad’s email was because I was his email admin. If I wasn’t, I’d have to have logged in while I was still in Japan, from his laptop, and then hoped beyond reason that I was able to change the passwords without knowing the current one.

    Think about that for a second. My father lived in Japan, had a Japanese number. He’s dead, the phone number was closed, and I can’t get it back as I’m not a Japanese resident. Which means the methods to recover are … email. But that isn’t enough for some companies.

    My ‘favourite’ is someone telling me that there was no way to know what account used my Dad’s email. Yeah, they had no way to connect an email to any account, and required me to provide a local phone number to call me about it. I blocked their emails because I literally have no other solution. They can’t tell me what email uses the address I own, and they can’t help me except by a local-to-them phone call.

    Summary? Let People Own Their Data

    Okay, here’s your summary:

    1. Require email confirmation in all cases where an account is being made. No verification? No account.
    2. Allow people to correct the emails if they can’t verify. If someone put in stevejobs@appl.com and forgot that E, they should be able to fix this.
    3. Allow people to unsubscribe from all emails with an easy to find method. A link, some explanations, whatever. Make it obvious.
    4. If people cannot legally unsubscribe while having an account, then you need to make it possible to cancel accounts when a user DO NOT KNOW the account name. If you’ve verified emails, yo, magic. “I forgot my account name…” — And again, this needs to be easy to find information.
    5. If someone sends you a damn death certificate, you should honour it.

    This is not going to fix everything, but it would certainly make us hate a couple companies a lot less.

  • 18 Months Without Contact Forms

    18 Months Without Contact Forms

    In February of 2016 I deleted my contact forms (except one).

    In the subsequent 18 months, I’ve actually enjoyed it, as the cruft email in my box has dropped significantly. But it led to a few peculiar situations. You see, people do still try to get a hold of me personally , and they’ve taken to interesting methods.

    Keep in mind. I’m talking about my personal contact. Not work. Work is work is work. This is basically you calling my house, not my office.

    Everything Is About Plugins

    Every. Single. Time.

    I’m only talking about unsolicited messages. Not “We’ve been talking about X in the #meta and let’s take it to a sidebar.” And it’s not “Last week you said X was okay in #forums and I have a followup.”

    I mean, literally, people I’ve never spoken to before who fall into one of two categories:

    1. People looking for help with a plugin I wrote
    2. People who got an email from the Plugins address

    For group 1, please use the WordPress support forums. For group 2, please press ‘reply’ on your email.

    But they don’t. Instead they use…

    Twitter

    It’s not a secret I leave DMs open on Twitter. This means, yes, anyone can DM me if they want. So far, I’ve received the following:

    • multiple offers to speak at an event
    • multiple requests to help with a plugin review
    • multiple complaints that blocking their ‘company’ account on twitter was unethical of me
    • requests for help from friends

    That last one I don’t mind. It’s pretty rare, and it’s from people who are, you know, friends. They’re also incredibly respectful of my time (as I try to be of theirs) and understand when I say no. Pro tip: If someone lashes out or acts up after you tell them ‘sorry, no’ they’re not actually your friend, they find you useful.

    Facebook

    This one cracks me up because I limit FB messages to friends only, so I get a lot of friend requests just so people can message me. I decline them. The only trend I’ve noticed there is people who met me at WordCamps (sorry, no), and people from AWP (again, no).

    I actually block a lot more people from FB for snide comments than anywhere else.

    Slack

    90% of the ‘unsolicited’ contacts on Slack I get are people who, for some reason, instead of pressing the reply button in their email, decide to DM me.

    The rest are people who have a question about plugins and even though they know about the email address, think it’ll be faster to DM me. At 8pm. On Saturday.

    Salem the cat from "Sabrina the Teenaged Witch" laughing maniacally while stirring a cauldron

    The contact form on my ebook site

    I actually went to look at those. The last few emails are:

    • Spam to pay someone to write copy for my site for ‘SEO’
    • Spam for a VPN
    • Someone asking ‘If I can’t use a contact form, how am I supposed to get help?’
    • Spam about SEO

    Dear person – That’s what the support forums are for.

    How Do You Contact Someone Without A Contact Form?

    Generally? You don’t.

    Look. There’s no form on my website because I’m not your free support. If you have a problem with a plugin I wrote, go to the plugin page on WordPress.org and ask for help. I get emailed when you do that. If you have a problem with a plugin review, press reply on your email. Shockingly? I get an email about that.

    What About Work?

    Oh that pesky professional thing.

    First of all – use the established contact methods. WordPress plugins all have support forums. Use those. Did you get an email? Press reply to the email and either propose a different method to converse or stick to whatcha got. Sometimes email will be the only way to go, as it’s the lowest common denominator (it’s 2017 – everyone has an email since you needed one to get on Twitter or Facebook or Slack in the first place).

    Next, if you know how to contact someone, unsolicited, about work things, then just do that. It’s not very complicated. You reach out, you apologize for the interruption, and you ask if I have time to talk about X. Here’s an example for you:

    Sorry to bother you. I’m planning a non-WordCamp event in Dallas for 2018 and I was wondering if you or your company would be interested in sponsoring? You can find the details at http://event-example.com and my email is me@event-example.com

    That works because you’re starting out being respectful of the other person’s time. You’re offering contact information, which demonstrates sincerity, and lets me know there’s a non-platform limited way to get in touch with you.

    Here’s another:

    Sorry about the DM, but I don’t know where to go for this. I’m having a problem with DreamPress and I can’t log in to my panel. What’s the right way to get my access back?

    This is good because you’re not assuming I’m the contact, and you’re asking ‘what is right?’ If it’s me, I’ll happily tell you. Well. Not happily, because I’ll be bummed you can’t log in, but I’ll help you sort it out (BTW: The answer there is the DreamPress Support page where someone’s familiar mug can be seen).

    The point here is that reaching out to someone, in an unsolicited way, requires you to begin by respecting them as a human. If you can’t do that, you’re basically sending them hate-mail.

    Be sincere. Be respectful. Be polite.

    And if you DM me about plugin reviews, I’ll just block you and walk away.

  • The Grammar of URLs in Email

    The Grammar of URLs in Email

    At many points in time I’ve complained that if you have a URL in your email, don’t use a period at the end of it because that can break links. That led to me being asked what the proper usage of URLs with punctuation actually is.

    This is not the law but it’s the rules I’ve come up with to ensure readability, linkability, and sanity when emailing links.

    Assume no HTML

    It would be easier if I just said “Visit example.com” and it was a link. You’d know what to do. You click on a link. The problem is not all email clients are HTML friendly. I’m aware it’s 2017. The fact is, the world is not as advanced globally as you might wish. Thus we have to assume that we will be emailing someone who cannot see HTML.

    Arguably that means they’d see <a href="http://example.com">example.com</a> and that may be okay to some of you. It’s not to me, since I aim for the lowest common denominator, and I know that modern email clients will convert http://example.com to a link for me. Therefore the correct solution is to send only the URL, without HTML surrounding it.

    Style Manuals

    The Chicago Manual of Style, which has been updated a few times, suggests you format footnotes with URLs as follows:

    • Fiona Morgan, “Banning the Bullies,” Salon, 15 March 2001, http://www.salon.com/news/feature/2001/03/15/bullying/index.html (accessed 24 Feb. 2003).

    Now in their example, there’s a space before the accessed date, so it’s easy to prevent errant trailing characters, but also they have a space before the link to make sure there’s no mistake there as well. The lesson to take away from this is that your URLs shouldn’t be marred with punctuation.

    Punctuation

    I believe the correct use of a URL is to never prepend or append punctuation. Or in other words: Do not end your sentence wth a URL.

    • Good: Please visit http://example.com/
    • Bad: Please visit http://example.com/.

    That trailing period? That’s bad. That will break on a lot of mail readers. But back to my gleanings from the manual of style, the correct usage is with a space on either side. In order to force that we can just remove the period but then do we use a capital letter for the next sentence?

    The Best We Can Do

    Grammar means we put words in a specific order to have a specific meaning. The same holds true for using URLs in our content. We must be aware of their context and placement.

    Some good examples:

    Please visit our site at http://example.com for more information.

    Or

    If you look at their website – http://example.com – you can see the magnitude of their errors.

    In both of those cases, we’ve put the URL in the middle of the sentence either prefacing it with an ‘at’ or using hyphens to indicate the URL is something special. The second way highlights the URL more in a text-only environment.

    Alright, what if you want to tell someone to download a link?

    Lorem ipsum blah blah blah
    Download the code here: http://example.com

    Notice how I put the download link on it’s own line? That breaks it out visually as well as generating a call to action. Download the code here.

  • Text Alerts and Email

    Text Alerts and Email

    Sometimes there are specific emails you want to be alerted to immediately. While there are a lot of options for this, like scripting things on the server level, most email tools let you handle this on their end.

    Cautions

    Short email is better. You get 160 characters. So this is a tweet length of stuff. Whatever emails you decide to do this with must be short.

    Be very careful based on how many texts you think you’ll get. If you get too many, you’ll blow through your limits.

    In order to email anything to your phone as a text, you need to know your email address. They all work the same way, in that it’s a phone number followed by an @something – just like normal email. What’s your address? You’ll have to read your network provider’s documentation. Wikipedia has a list of some US carriers that can get you started. If you have the option for MMS, and you know your email has pictures and stuff, use that. But again, you should be short!

    How To

    All you have to do is create a filter for the emails you want to forward. Seriously, that’s it.

    My gmail filter looks for emails with the subject [Mass WP Upgrade] and if found, applies a label, moves to a folder, never marks as spam, and yes, texts me.

    My Gmail Filter

    If you do this you’ll get an alert telling you that if you don’t mark things as spam, you can (heh) spam the hell out of your forward and get in trouble.

    This is pretty much the same as for cPanel, who has incredibly robust filter available. The extra fun is that while you can just use “Redirect to Email” to forward the message, you can also pipe it to a program on your server. If that made no sense to you, don’t worry about it. Just know it’s there.

    If you’re using gmail, you also need to add your text email address as a forwarding address. Don’t Panic!! I know it makes it look like it’ll forward all your email. It won’t. For cPanel and other things, they don’t require verification of the forwarding destination.

  • Gmail: Handling Bad Emails

    Gmail: Handling Bad Emails

    No, not bad emails as in the ones that you consider saving and posting for someone’s everlasting internet shame. Bad emails are the ones that go to the wrong place, through none of your fault. We’re talking about the people using an email you’ve not used in a decade, or someone who can’t remember your name is spelled with an A and not an E, and so on. You know, typos.

    One of the things I did on my old email was set up a trash email box. That is, people could email not-me@domain.com or me@olddomain.com and they’d get an auto-reply telling them the email was no longer in service. It was more important for an old domain I owned but didn’t use and yet people I needed to talk to still thought it was real. I could have forwarded it to me, but after 10 years, I upgraded to the “Folks, seriously!” alert.

    Doing this on cPanel was pretty easy, making a custom alias that dev/null’d and sent a reply. Doing it on Gmail was a little weirder and made me think about the situation.

    Canned Replies

    First you have to set up Canned Responses, which is a Lab (go to Gmail -> Settings -> Labs). You made a response like you make an email, only instead of sending it you save it by clicking on the down arrow and saving as a Canned Response:

    Canned Response Save

    Once you have it saved, set up a filter so any email to @domain.com gets a reply of that Canned.

    Don’t Be Sneaky

    If you’re thinking “Aha! I can use this to be sneaky!” with the intent of sending people emails to pretend you really are reading it, there is a problem with that. The email comes back from YOU+canned.response@example.com and no, there’s no really easy way around that. Someone did come up with a Google Script for it, but it’s not for the faint of heart.

    Now the question is, is that a bad thing? Is it bad for people to know they got a canned reply? No, not really. By putting in the +canned.response it’s obvious that it’s a canned, but it’s also obvious for you and you can filter the emails however you want. People who reply to canned? Auto-trash ’em. Or block them.

    Filters

    Instead of the canned reply, though, you can also just discard the email. Either don’t even bother to set up the email (or it’s alias at all), or if you do, filter it out and dump it. The only reason I could see bothering to make an alias for email you don’t want is if you either plan to review it later, or if you have a catch all email address. If you do this, making an alias, make sure you filter the emails and mark them read so you don’t get distracted by them.

    Catch All

    There’s a slightly different approach to all this, though. The idea of a catch-all email. By default, G Suites sends all your misdirected emails to trash. Accidentally mailed bob@example.com instead of b0b@example.com because the numbers and letters look the same? Tough luck. Unless Bob was smart enough to set that up as an alias (which I tend to do), your email was lost. The alternative is to designate a user as a ‘catch all’ account that gets everything that doesn’t belong to an existing user.

    That catch-all can auto-reply to all emails, forward ones that are important, and everything else. If you’re a business, you should do this so you don’t lose any misdirected emails from customers (they can’t spell after all), but remember to check that email often as it will also collect all the spam for all your accounts.