Skip to content

Confirmation emails

One of the very first features we added to LiberaForms was the possiblity for form editors to include a checkbox at the foot of the form so that their public could request confirmation via email when the form was successfully submitted.

That is a nice feature and many people have uses it over the last five or so years.

But times change.

Back then nobody knew about LiberaForms and we lived happily under the radar of bad actors.

Now that people are hearing about us, LiberaForms installations are getting more and more abuse.

Most of it is just the usual search for Wordpress exploits, but some are designed to hurt.

Forms with the Confirmation email option enabled can be spammed and, because the server accepts the data in good faith, it kindly sends the confirmation email.

This is bad because the configured SMTP server will quickly enter the black lists.

Counter measures

Forms include honeypots and the server rate limits form submissions. Both these mechanisms help a lot.

Even so, they are not foolproof.

The solution

It sorries my to say that this feature is now disabled by default.

Sysadmins may enable it in the .env file.

What to do?

Email confirmation is a nice thing to have, but big installations with open user registration should keep on the safe side and not enable it.

Smaller installations can probably get away with it, especially if the User registration is closed.

Either way, keep in mind that being on a black list is not fun.