Phantom Form Submissions

I had an email signup form that was getting tons of SPAM form submissions. My client decided to just remove the form altogether instead of fixing the issue. So I removed the form, cleared the cache, and even manually removed files from the cache directory.

Several days later we are still getting these form submissions. Does anyone have any insight as to how this could happen since the form does not exist anymore?

Are you seeing these submissions in the Dashboard or are you seeing it as emails?

Just emails. The offending email address is and these were showing up in the Dashboard until 2 days before I removed the form from the website. So no, they aren’t showing up in the Dashboard anymore but I am getting the emails.

Can you tell us which core version and what form system was in use (core express form, core legacy form, external form, forms addon package)

Core Version - 8.5.9
Express form

Nothing being recorded in dashboard/reports/forms would suggest the spammers’ process may not include pretending to submit a form to the form action.

Are the emails in the Log dashboard/reports/logs? If not, it could be the mail server being called directly by the spammer or even nothing to do with the web server and the spammer spoofing the sender address.

Are emails used anywhere else on the site? If not, you could disable email from the site as to confirm/deny site involvement. dashboard/system/mail/method

There’s nothing in the logs.

Although there is an order form on the site, I am going to disable email to see if that helps. Thanks for that suggestion.

I disabled email and have received no emails since. What are my options now? Do I wait the spammer out and then turn it back on?

This is very much a guess: For some reason although you have deleted the form, the form submit endpoint is still open and the core is responding to it. Though I am surprised the phantom submissions were not showing in the dashboard log.

Waiting the spammer out may work, or they may return anyway.

Some routes to follow (individually or in combination)

  • Install strengthened anti spam such as Anti Spammer Master

  • Make sure the form is actually deleted in Express, not just the form block on the page.

  • Check GitHub for similar issues between 8.5.9 and 8.5.12, there could be an issue and a fix.

  • Upgrade to 8.5.12

  • For safer forms, using a marketplace forms package such as my own Form Reform can provide stronger protection, especially when combined with Anti Spammer Master. However, that won’t resolve your current phantom submission issue, merely help prevent recurrence in the future.

Thanks for everything!

Same thing happened to us. If you can remove the emails on the part of the form associated it might work. It did for us. We had 2,000+ files in the files folder and had to delete those and the emails.

I disabled email for a few days and then turned it back on and haven’t seen any submissions for a few days. I’m not sure why this worked but it did. Perhaps the scammer moved on to easier prey.