Feedback ignores Blacklist

[Ipstenu]

You have a moderation list and a blacklist.

You have a user you want to block from commenting forever. You add them to the blacklist. Surprise! They can still use the feedback form!

This should behave just like the blacklist on comments: It blackholes them. Done and gone. After all, you didn't want them around.

Logically I can see why it doesn't use the comment checks. If you have a check to only let users who have an approved comment, leave more comments freely, this would be a problem. There's no 'pending' value for feedback.

[georgestephanis]

This would be super easy to get around, just changed the alleged from email address. Besides, blacklist tends to be things that shouldn't be displayed publicly automatically, allowing contacts would let them appeal the blacklist.

I could see grounds for adding a filter to have grunion follow the commenting blacklist though. Less sold on an admin option.

[Ipstenu]

Sure, and it's just as easy to get around the current blacklists in WP. The point is, though, if you've put someone's email on your comment blacklist, the assumption can be made that you have a good reason. You DON'T want this person commenting on your site, so why are you making it easy for them to harass you? And yeah, I used 'harass' intentionally.

Certainly I can and do block their emails on the server, but I still have to go in and clean out the messages in feedback once and a while, and I for one get a lot of pretty vile garbage from people. So having one less place to have to read their BS would be beneficial.

It's always been relatively easy to work around if you're a dedicated troll, but if the blacklist just blackholed their contact messages, it does a lot for your mental health.

[jeherve]

+1. I think it's more about expectations than anything else. If I've added someone's email / name / IP address to your comment blacklist, I would expect that blacklist to apply everywhere where readers can submit things to me.

[stale]

This issue has been marked as stale. This happened because:

• It has been inactive in the past 6 months.
• It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

[abidhahmed]

Closing this for now, please feel free to reopen if required.

[Ipstenu]

FYI, yes this is still reproducible.

Make a blacklist. Try to give feedback if you're on it. Feedback still works.

Seeing as you already filter through Akismet, it stands to reason this should be possible. Even just as a filter I have to write.

[lauragails]

Yes, please make a jetpack contact form compatible blacklist!

I think it is an absolute necessity, especially for women.

Yes, a blacklist could be worked around. However, if a person got around the blacklist, the (assumed) receipt of the auto-reply could be used to show that said person was explicitly told to avoid contact, and actively chose to disregard the warning, when the contact was unwanted.

This piece of evidence is especially useful for people who choose/need to stop all active communication with people who continue to harass them, especially for safety reasons.

[Ipstenu]

Having just received 10 emails from someone abusing the contact form to get around email blocks, we really need this. It's a small and simple way to block harassing idiots who aren't spammers.

Since you're refusing to add this in, I've been forced to do this code, which is technically abusing akismet but it's this or find another contact form:

add_filter( 'jetpack_contact_form_is_spam', 'jetpack_spammers', 11, 2 );

/**
	 * [jetpack_spammers description]
	 * @param  boolean $is_spam   Default spam decision
	 * @param  array   $form      The form data
	 * @return boolean $is_spam   If the person is spam
	 */
function jetpack_spammers( $is_spam, $form ) {
		// Defaults
		$emaillist = array();
		$iplist    = array();
		$blacklist = explode( "\n", get_option( 'blacklist_keys' ) );

		// Check the list for valid emails. Add them to spam if found.
		// Also check for IP address and add them
		foreach ( $blacklist as $spammer ) {
			if ( is_email( $spammer ) ) {
				$emaillist[] = $spammer;
			} elseif ( filter_var( $spammer, FILTER_VALIDATE_IP ) ) {
				$iplist[] = $spammer;
			}
		}

		// Get the email from the form:
		$this_email = $form['comment_author_email'];
		// Get the IP address:
		$this_ip = $form['comment_author_IP'];

		// If the email or IP is on the list, spam it.
		if ( in_array( $this_email, $emaillist ) || in_array( $this_ip, $iplist ) ) {
			$is_spam = true;
		}

	// Return the results
	return $is_spam;

}

This code will flag emails and IPs from people on your blacklist as spam. Done. Easy way to let your co-admins add in bad people.

If there was a better filter, I'm happy to use it, but this is for my own protection, which it galls me to see you deprioritze. It's 2018. People use technology to harass. This really should be higher on your list.

[lauragails]

Thank you, Ipstenu. I switched comment forms, which was a pain, but glad to see this code is there for the future.

I agree, it's 2018 (now almost 2019). All contact forms absolutely need to have a way to block specific email addresses.

[Ipstenu]

Based on #11037 (which is WAY the hell more elegant, thank you @cfinke ) I've switched to this:

add_filter( 'jetpack_contact_form_is_spam', 'jetpack_spammers', 11, 2 );
add_filter( 'jetpack_contact_form_is_spam', 'jetpack_harassment', 11, 2 );

/**
 * [jetpack_spammers description]
 * @param  boolean $is_spam   Default spam decision
 * @param  array   $form      The form data
 * @return boolean            If the person is spam
 */
function jetpack_spammers( $is_spam, $form ) {
	// Bail early if already spam or if the new feature made it...
	if ( $is_spam ) {
		return $is_spam;
	}

	if ( wp_blacklist_check( $form['comment_author'], $form['comment_author_email'], $form['comment_author_url'], $form['comment_content'], $form['user_ip'], $form['user_agent'] ) ) {
		return true;
	}

	return false;
}

/**
 * [jetpack_harassment description]
 * @param  boolean $is_spam   Default spam decision
 * @param  array   $form      The form data
 * @return boolean $is_spam   If the person is spam
 */
function jetpack_harassment( $is_spam, $form ) {
	// Bail early if already spam
	if ( $is_spam ) {
		return $is_spam;
	}

	$badlist   = array();
	$blacklist = explode( "\n", get_option( 'blacklist_keys' ) );

	// Check the list for valid emails. Add the email _USERNAME_ to the list
	foreach ( $blacklist as $spammer ) {
		if ( is_email( $spammer ) ) {
			$emailparts = explode( '@', $spammer );
			$username   = $emailparts[0];
			$badlist[]  = $username;
		}
	}

	// Check if the comment author name matches an email we've banned
	// You'd think we didn't have to do this but ...
	if ( in_array( $form['comment_author'], $badlist ) ) {
		return true;
	}

	// Check if the email username is one of the bad ones
	// This will allow spammer@example.com AND spammer+foobar@example.com to get caught
	foreach ( $badlist as $bad_person ) {
		if ( preg_match( '/' . $bad_person . '/', $form['comment_author_email'] ) ) {
			return true;
		}
	}

	return false;
}

The second part is a little more extra, but if you've blocked spammer@example.com and someone submits a form with spammer+avoid@example.com this will catch them. It has a higher chance of catching 'innocents' however considering I'm looking for something like rosbeitam@example.com I'm reasonably confident in this for my personal application.