Stopping SPAM on the Contact Form

New Member
1 0 1

What is the most effective way to eliminate SPAM messages via the Contact Form?  

I keep getting two or three "Please notify when" blank "becomes available" emails a day on the same product (see below).  The funny part is that the product is NOT out of stock and IS available to purchase.  If I set the publish date to some time in the future (unpublished), the spam emails start on another product.

I have already installed "Improved Contact Form" and "Shop Protector" Apps that don't stop the problem.

 

You received a new message from your online store's contact form.

 

Email:

heavenly_angels_77028@yahoo.com

Body:

Please notify me when 10mm Wide Linen Copper Cuff Bracelet - Solid Copper Cuff becomes available - 


 

   
 

1 Like
Shopify Staff
Shopify Staff
326 67 106

Hey, John!

Jason here from Shopify Support.

Currently, on Shopify, a Captcha is set to appear on both your newsletter and contact form signups when there are two submissions done from the same IP address within 24 hours. 

Knowing that you already have already tried Improved Contact Form and Shop Protector, there are two other apps you may want to take a closer look:

1. Zero Spam reCaptcha Contact Form
2. Emailab

There are also a few third-party options you can integrate onto your contact page that are quite popular: 

1. Wufoo
2. jotForm

To be honest, there isn't a way that can block out spambots entirely. There are a few more methods you may want to try if you are fluent with codings. Here is a great thread on how you can add basic Captcha on your blog. Another useful guide to follow is here

Lastly, if you'd prefer skipping Captcha and reCaptcha methods altogether, there is also a popular method called Honeypot Trap technique. The basic idea behind it is that you code a blank space in your contact form hidden from normal users. The bots will fill it out thinking it's part of your form, then you get to capture the bots and block their IPs. The best thing about this technique is that you are not relying on customers to click or fill out forms to distinguish themselves away from bots. You are actively using coding to trap bots and blocking them away. There are multiple resources online. Here is a great guide on Honeypot Trap

I hope that information helps, however, should you have any questions, please don't hesitate to reply back here and I'd be happy to help out!

All the best,

Jason

Jason | Social Care @ Shopify
Was my reply helpful? Click Like to let me know!
Was your question answered? Mark it Accept as Solution to help others locate the answer!
Your Like and Accept as Solution are much appreciated!
To learn more visit the Shopify Help Center, or the Shopify Blog.

1 Like
Shopify Partner
3 0 0

JasonC,

 

Here's an interesting and mysterious twist on this issue. I don't have the contact form enabled (not using the "page.contact" template), yet I've received an email from WowzaBrain (Shopify) <mailer@shopify.com>, saying "You received a new message from your online store's contact form." The message is clearly spam when I view it. How are the bots getting access to a contact form I haven't activated?

 

To avoid confusion, "WowzaBrain" is my store.

 

Any ideas?

0 Likes
Shopify Staff
Shopify Staff
326 67 106

Hi, Derek!

 

Jason from Shopify support. 

 

This is quite odd. Do you have any contact form active at all in the store (other than the page.contact template)? If not, to be honest, I can't offer too much insight on this issue without taking a closer look into your account. Another thing to note is since you've received this spam email, have there been others? Or this is a solely single incident? Let me know if you want me to take a closer look into it for you.

 

All the best,

Jason

Jason | Social Care @ Shopify
Was my reply helpful? Click Like to let me know!
Was your question answered? Mark it Accept as Solution to help others locate the answer!
Your Like and Accept as Solution are much appreciated!
To learn more visit the Shopify Help Center, or the Shopify Blog.

0 Likes
New Member
1 0 1

Hi Jason, 

 

We are seeing the exact same thing on our shop, and it started happening in the last week.  It appears folks have found a way to hit these unpublished contact forms and it would be great if you could have a deeper look here. 

 

Thanks,

Eric

1 Like
Excursionist
27 0 11

Same problem here.... lots of spam coming in.  

1 Like
Shopify Partner
3 0 0

Hmm. Your question forced me to think just a bit more.

 

Yes, I loaded HULK Apps's free Simple Contact Form on January 17th. I received my first spam message on February 1st. I received my second one (nearly identical) on February 2nd. I haven't received any since the 2nd.

 

I gave the app a specific email address. The spam messages I'm receiving from mailer@shopify.com is coming to a different address, so I assumed (I know, I know) that loading the app had nothing to do with receipt of the spam messages. Perhaps I was wrong.

 

Does that added information help?


@JasonC wrote:

Hi, Derek!

 

Jason from Shopify support. 

 

This is quite odd. Do you have any contact form active at all in the store (other than the page.contact template)? If not, to be honest, I can't offer too much insight on this issue without taking a closer look into your account. Another thing to note is since you've received this spam email, have there been others? Or this is a solely single incident? Let me know if you want me to take a closer look into it for you.

 

All the best,

Jason


 

0 Likes
Shopify Staff
Shopify Staff
326 67 106

Hi, Derek, Eric, and Angela!

 

Thank you all for reaching out and letting me know what had happened. A special shoutout to Derek for offering more context on the situation so I was able to discuss the incidents with our safety team. The safety team has verified that this is a known phishing email started around January 28th. After the investigation, it's confirmed that the merchants can safely disregard/delete these messages. The workaround at the moment is to clear your browser's cookies and cache.

 

Keep in mind the issue here is that the contact form API is open to the public. Consequently, these spammers are bypassing any form and hitting the API directly. Shopify can't entirely block this type of spam as it is being generated either via the Contact Us page or the underlying system that support this function (in Derek's case, even if you don't have a contact us page from Shopify). Our safety team, however, is continuously on the lookout for new trends and has already implemented fixes that will hopefully reduce this type of spam.

 

If you have more questions, don't hesitate to reach back out here. I'd love to help you out!

 

Best,

Jason

Jason | Social Care @ Shopify
Was my reply helpful? Click Like to let me know!
Was your question answered? Mark it Accept as Solution to help others locate the answer!
Your Like and Accept as Solution are much appreciated!
To learn more visit the Shopify Help Center, or the Shopify Blog.

0 Likes
Shopify Partner
3 0 0
Sweet. Thanks, Jason (and Shopify security team). Knowing what's going on
is half the battle.
0 Likes
Shopify Staff
Shopify Staff
326 67 106

Hi, Derek!

 

No problem at all. I'm glad that we were able to identify the issue and not blaming other apps for what had happened. That being said, if you see any spikes of the spam emails, feel free to reach back out either on this thread or on the forum. This way, the support team, including me, can notify the safety team and expedite them to work on a fix. Thank you in advance!

 

Best,

Jason

Jason | Social Care @ Shopify
Was my reply helpful? Click Like to let me know!
Was your question answered? Mark it Accept as Solution to help others locate the answer!
Your Like and Accept as Solution are much appreciated!
To learn more visit the Shopify Help Center, or the Shopify Blog.

0 Likes