More spam since Sparkle 3?

Hi all, first of all congrats and a big thank you for Sparkle 3!

As recommended I use an unique mail address for the form on my site. Since the upgrade I receive notably more spam than before. Before 3 in a month, now 1-2 a day. Is this a coincidence? I am going to change the contacts form address, but I want to inform you because it looks like something changed.

Sparkle 3 improves mail form spam resilience actually. But it’s an arms race. Please forward a few mail form spam messages and we’ll take a look.

I’m experiencing more spam as well. I’ve been deleting them but as soon as I get a new one I’ll forward it to you as well @duncan.

Hi @Karin, I always get an increase of spam at this time of year - Black Friday and Christmas seem to attract spammers! This is across all my email accounts not just those linked to Sparkle.

Hi @all.

Is it definitely an abuse of the contact form? That would not be good.
Or has the e-mail address slipped into spam lists?

Mr. F.

In the meantime, I’m also doubting that it is the contact form because I noticed I already changed the address a while ago (sorry @duncan). Probably it is a coincidence or a time of year phenomena.

Yeah those were just regular spam, not spam through the contact form. The latter is what we’re interested in seeing and fixing. The email address you use in a contact form will never leak. We can’t really do much if someone uses your email address and spams you.

I was confused because I don’t use the email address the spam was sent to. I created it for the form, but later I understood that an existing address isn’t necessary and forgot to delete it on the server. How spam gets us loco anyway :crazy_face:

IMPORTANT : When it comes to your email I feel Sparkle does a really good job, but the big one is (and I see it time and time again) that Users place their email address ( on their website so if you do that then Sparkle cannot protect your email being collected by the spambots and you getting spammed! The spambots are continually scrapping websites across the world!

If you must place your email on your web page then display it in this way - my(at) and don’t link it to your email… that is what your Sparkle contact form is for.

What @greenskin points out is absolutely correct. When you do the SEO check, sparkle should detect an email address in “clear view”. Then change the @ into something else and remove the link, if you have set it.

Mr. F.

1 Like

Well in fact sparkle’s seo check does detect it. It’s up to you to change it.

1 Like

Yeah, I know. 25 years ago it were actual persons :smiley: but the weird thing is that the particular address which received spam wasn’t used or placed on my site. Like you wrote: that’s what the contact form is for. So it seems they can find you without being placed.

@Karin, There are so many ways your email(s) can be lifted - through social media, through signing up for something, through joining an online group, even through sending unsecure (no SSL Certificate against the domain name) emails that can be intercepted, etc…

Even by temporary joining an open free WiFi you are open to scammers, hackers, and lifting of your emails and more.

In the end you just need to be aware of it all and do your best to protect it - our capitalist system breeds this! :frowning:

Here’s a good feature if you have a Gmail account. You can add a “+keyword” to the username, e.g. if your Gmail address is, you can use any one of these:

All the above are valid Gmail addresses and will help you track from where the email address was lifted.

1 Like

I understand, but: I don’t have social media, domain has SSL etc. The really weird thing is, as I wrote I created this address especially for the form. But then I learned that it wasn’t necessary and put a fake address not even at my domain which works fine. Because I forgot this part, by the time I received spam I thought it was coming from the form because I created it especially for that but finally never used it. Not even once, so it can’t be lifted in the situations you describes. I Only forgot to delete it on the server after learning that I didn’t need it. So it looks like someone invented it, which is possible because it was Info@ but I thought the days were long gone that actual people were gathering addresses.

@Karin, Understand! :slight_smile:

One of the biggest reasons I have not worked with WordPress (and even want it on my eco-servers) is because of the “backdoors” that the hackers can use. This not only gives the hackers access to the client’s WP website and database, but also at times (if the server’s zillion firewalls are not up) the breaching of the hosting platform giving the hackers access to all the emails that live there.

So it can be possible that your hosting server has been breached?, if you are sharing it with other Users that are using WordPress.

Wow, this sounds like a plausible explanation. There is WordPress on the hosting server, which I also tried in my after-Muse quest! But at the same time strange (and lucky :smiley:) that the email addresses which I do use, are not affected. Yesterday I simply deleted the spam-receiving address because I didn’t use it. For now, problem solved and apologies for suspecting Sparkle’s form :innocent:

1 Like

Hi Karin,

Unfortunately, the days of real people harvesting email addresses are still here.

In some countries people are cheap and criminal gangs don’t give a damn anyway so force real people to harvest emails. Some even go so far as to try and access all files, even .PHP held on your domain’s servers. The really professional criminals have probably hacked many hosting providers sites years ago.

Having your email address as fred(AT) or trying to disguise it rarely works nowadays either. Years ago I secured my my email addresses using a small Javascript routine, which obfuscated the address. Worked fine unless the spammers used the debug modes of a browser! ReCaptcha fails now, too. Real people are identifying traffic lights, boats, etc.

Now, as Sparkle users you will running on a Mac. How many of you use Mail? Quite a few. How many of you still have a check mark next to “Load remote content in messages”?

That remote content can be much more than logos or pretty pictures! At best the sending server gets an acknowledgement that your email address is real. Here is an example (edited) of remote content tracking information tagged on the end of an image URL from a recent email:


Uncheck that “Load remote content” option in the Mail preferences and you have started to fight back against the spammers.

The other thing to do is to check your email addresses on This site will tell you if an email has been harvested in a data breach. You can then decide if it’s still worth using that address!

The trouble is we want people to contact us and the harder we make it the less likely they are to do so.

Forms are not ideal but are probably the best method out there and Sparkle makes them easy.


1 Like

Today my first SPAM mail from the contact form arrived.
It is clearly an abuse of the form: ridiculous termination notification for my website from

We have made several attempts to reach you by phone, to inform you regarding the TERMINATION of your domain [deleted]

CLICK HERE FOR SECURE ONLINE PAYMENT:[deleted by me]&r=a&t=1609699036&p=v1


Ha ha. Arnold Schwarzenegger is back.

I got that one too via my mail form. Does that mean something in Sparkle forms is vulnerable?



We have not received your payment for the renewal of your domain [mydomain]

We have made several attempts to reach you by phone, to inform you regarding the TERMINATION of your domain [mydomain]