Often the built-in Joomla contact forms component (com_contact) is abused by spammers. These contact forms allow the sender to receive a copy of the form contents and all spammers need to do is enter the email address of the target as sender/from. This way, anyone can use the Joomla contact form for spamming anyone. This short article explains how to disable and combat this.
Whenever you see prefix_
, substitute that with the prefix or your database tables, for example jos_
. So prefix_extensions
becomes jos_extensions
.
Spammers abuse the send a copy to the submitter to send spam to target recipients.
Disable the Send Copy to Submitter global option in MySQL
To disable the 'Send a copy to yourself' option:
- Log on to your MySQL database using phpMyAdmin or MySQL cli
- Look up the com_contact information in the prefix_extensions table:
SELECT * FROM `prefix_extensions` WHERE name = "com_contact";
- set "show_email_copy":"1" to 0, but be careful editing JSON directly so we'll use MySQL/MariaDB's JSON_SET() function to edit this key/value pair:
UPDATE prefix_extensions set params = JSON_SET(params, "$.show_email_copy", "0") where extension_id = 8;
This assumes component com_contact has extension_id 8, the first SELECT will provide you its id number.
Set show_email_form to 0 too to disable the form completely:
update `prefix_extensions`
set params=JSON_SET(params, "$.show_email_form", "0", "$.show_email_copy", "0")
where extension_id = 8;
In your Joomla Control Panel, use the following path:
- System > Global Configuration
- select Contacts in the COMPONENT list, and
- set Send Copy To Submitter to Hide.
I've just re-done this in Joomla 3.9.23, in which the default option is not to show the Send Copy to Submitter form. I'm not sure when this was turned off by default.
Flexi Contact
FlexiContact is a free contact form that is very easy to setup yet has enough features for most websites.
When FlexiContact is in use, disable the send a copy option by setting show_copy
to 0 for the component com_flexicontact. You can do this the same way as for Joomla's com_contact.