Unsafe email config is used without sufficient protection.


This warning appears when you have an email configuration that allows spammers to abuse the contact form—and sufficient spam protection is not deployed.

If you have a mail-tag, like [your-email], in the email template‘s To, Cc, or Bcc header field, the mail-tag is replaced with an actual email address that the user inputs, and eventually an email based on the template is sent to the address. This dangerous situation allows malicious users or spammers to abuse the contact form and send email to the address they specify, taking advantage of your site’s name.

To protect your contact forms from this risk, activating spam protection modules is strongly recommended. Since the likeliest and most worrisome attack scenario is bulk email being sent by spambots, deployment of reCAPTCHA—which is optimized to block automated bot attacks—is a must. Ideally, you should consider using Akismet in combination with reCAPTCHA.

The best tactic is to minimize the number of castle gates which need to be protected. Keep in mind that spam protection modules may mitigate the risk, but they cannot eliminate it altogether. Unless it is absolutely necessary, avoid the use of unsafe email configurations that allow email to be sent to arbitrary user-specified addresses.

Just another contact form plugin for WordPress. Simple but flexible.