Spammers submitted hundreds of forms recently

[bobbingwide]

Just recently I started receiving a spate of spam submissions.

The general format of the submission was:

contact name: contained an URL
email: was a gmail address
subject: contained an URL
message: was blank

Also:

• The honeypot field was left blank, as expected
• the nonce was correct.
• the IP addresses changed between submissions
• In my email client quite a lot of the emails were marked as Junk, but others remained in the Inbox

Workaround

I removed the contact form from the page.

[bobbingwide]

Proposed solution

• Don't accept contact name containing an URL
• Don't accept subject containing an URL

[bobbingwide]

While testing in PHP 8.2 I got these deprecated messages

Deprecated: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in C:\apache\htdocs\wordpress\wp-content\plugins\oik\includes\oik-contact-form-email.php on line 21

[bobbingwide]

Don't accept subject containing an URL

The improvement to bw_basic_spam_check() doesn't perform the check against the subject. This needs to be passed in the $fields array. Note: The Akismet check doesn't use this field.