Spam Remediation — Akismet, ClickCease, SMTP Upgrade
Overview
Date: 2026-04-05
Attendees: Mark Hope, Sebastian Gant
Client: [1]
Mark and Sebastian worked through a spam complaint escalated by the client's web agency, Liontree. The session identified two distinct spam sources — form spam and call spam — and addressed both in real time. A third critical issue, email deliverability via PHP mail, was flagged and escalated for client action.
Background
Liontree emailed the client (Robin) reporting a large volume of suspicious form submissions and suggested adding a CAPTCHA. Liontree incorrectly attributed the spam to a Google PMAX campaign; no PMAX campaign is running. The actual sources were:
- Form spam: The existing v3 reCAPTCHA was ineffective against modern bots.
- Call spam: A newly launched Microsoft Ads campaign generated ~150 calls for ~$300 ($2/call), the majority of which were spam. ClickCease had not been configured for Microsoft Ads.
Key Decisions
- Akismet installed immediately on the WordPress site using Asymmetric's paid license, and connected to Gravity Forms via the Akismet add-on. Expected to block ~90% of form spam going forward.
- ClickCease to be configured for Microsoft Ads. Google Ads and Facebook Ads protection was already active (saving ~$115/month in fraudulent clicks); Microsoft Ads was missing.
- SMTP upgrade strongly recommended. The site is using WordPress's default PHP mail, which is treated as spam by most email providers. The client is likely missing legitimate form lead notifications. Recommended path: WP Mail SMTP Pro + SMTP.com.
- Client must review Gravity Forms entries weekly to catch missed leads and train the Akismet filter by marking spam manually.
Issues & Resolutions
Form Spam — Akismet
| Item | Detail |
|---|---|
| Problem | v3 reCAPTCHA (invisible) not blocking modern bots |
| Existing security | Wordfence (outdated; can block legitimate traffic) |
| Action taken | Akismet installed and activated during meeting |
| License | Asymmetric paid account |
| Integration | Connected to Gravity Forms add-on |
| Expected outcome | ~90% reduction in form spam |
"A kismet is just going to be brilliant. It'll be blocking 90%." — Mark Hope
Call Spam — ClickCease / Microsoft Ads
| Item | Detail |
|---|---|
| Problem | Microsoft Ads campaign launched without ClickCease protection |
| Campaign result | ~150 calls, ~$300 spend; majority spam |
| Current ClickCease coverage | Google Ads ✅, Facebook Ads ✅, Microsoft Ads ❌ |
| Action required | Mark to configure ClickCease for Microsoft Ads |
| Optional mitigation | CallRail number with simple IVR ("Press 1 for sales") to block bot calls |
"We were shocked at the amount of calls that came in. It was $2 a call. They spent $300-something and got 150 calls." — Sebastian Gant
Email Deliverability — SMTP Upgrade
| Item | Detail |
|---|---|
| Problem | Site uses WordPress PHP mail; flagged as spam by email providers |
| Impact | Client likely missing legitimate form lead notifications |
| WP Mail SMTP | Plugin visible in dashboard but not actually installed |
| Recommended solution | WP Mail SMTP Pro + SMTP.com |
| Benefits | Proper DKIM/DMARC/SPF authentication; full email delivery log |
| Status | Pending — Sebastian to recommend to client |
"If somebody fills out a form... this email is coming out of the WordPress PHP email service, which means probably 10% of the people who fill out a form actually get this email." — Mark Hope
Action Items
- [ ] Mark Hope — Configure ClickCease protection for Microsoft Ads; enable for active campaigns
- [ ] Mark Hope — Add Sebastian to ClickCease notification emails
- [ ] Sebastian Gant — Email client re: Akismet + Gravity Forms installation
- [ ] Sebastian Gant — Recommend SMTP.com upgrade via WP Mail SMTP Pro for email deliverability
- [ ] Sebastian Gant — Ask client to review Gravity Forms entries weekly: mark spam to train filter, confirm all legitimate leads are being seen
Additional Context
Site Management Gap
The client's WordPress site is managed by Liontree, not Asymmetric. All plugins were found to be out of date. Asymmetric does not manage the client's DNS, which limits the ability to implement upstream security controls (e.g., Cloudflare-level blocking). The ClickCease bot-zapping WordPress plugin was not installed; Mark noted some caution about installing it given past instances of it suppressing legitimate traffic.
Gravity Forms Entry Review
During the meeting, Mark and Sebastian reviewed existing form entries and found a mix of clear spam ("I need info", repeated generic messages) and legitimate inquiries. The client does not appear to be regularly reviewing entries, meaning real leads may have been missed. With PHP mail unreliable, the entries view in Gravity Forms is currently the most reliable way to catch all submissions.
CallRail as Call Screening Option
If call spam from Microsoft Ads continues, a CallRail number with a simple IVR can be placed in front of the client's real phone number. This adds minor friction but effectively blocks bot calls. Mark noted this is the easiest implementation path.
Related
- [2]
- [3]
- [4]
- [5]
- [6]
- [7]