Form Spam

This section is for posting questions which are not directly related to WYSIWYG Web Builder.
Examples of off topics: web server configuration, hosting, programming related questions, third party scripts.

Note that these questions will generally not be answered by the administrators of this forum.
User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Form Spam

Post by Magical » Thu Jan 11, 2018 10:03 pm

Greetings,

I am getting spam on a form which has the recaptchav2. It also appears the spam is bypassing a required constraint for the message field to have at least 40 characters. I have checked the recaptcha and its functional as well as the validation constraint for 40 characters. Any thoughts how this could happen? and what would be a way to prevent it.

User avatar
Pablo
 
Posts: 13012
Joined: Tue Mar 28, 2006 12:00 pm
Location: Europe
Contact:

Re: Form Spam

Post by Pablo » Thu Jan 11, 2018 10:11 pm

Is reCaptcha part of the form?
Note that reCaptcha is a service of Google, so I have no control over the way it works.

Also note that validation is not a restriction, but rather a guideline for the user.
For example, it is possible to bypass JavaScript via the browser's debugger.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Thu Jan 11, 2018 10:17 pm

Recaptachav2 is part of the form. When I don't click the check box it sends me to the recaptcha failure page.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Thu Jan 11, 2018 10:22 pm

Looking at the data in the name field, I think its the same bot. Its just repeating 5a579xxx, The IP addresses are all TOR exit nodes.


Values submitted from web site form:
IP Address : 51.15.34.214
Referer : xocomputers.com/index.html
Name : 5a5799c4f3c56
Email : treading@applied.com
Phone :
Message :

Values submitted from web site form:
IP Address : 93.115.95.205
Referer : xocomputers.com/index.html
Name : 5a579bd48461d
Email : kingsley.asanji@yahoo.com
Phone :
Message :

Values submitted from web site form:
IP Address : 176.10.104.240
Referer : xocomputers.com/index.html
Name : 5a579bdc32260
Email : lynneofivory@yahoo.com
Phone :
Message :

User avatar
Pablo
 
Posts: 13012
Joined: Tue Mar 28, 2006 12:00 pm
Location: Europe
Contact:

Re: Form Spam

Post by Pablo » Fri Jan 12, 2018 7:22 am

Maybe the messages were sent manually?
Or maybe you have another form on the website without recaptcha?

User avatar
Rob
 
 
Posts: 166
Joined: Sun Jan 29, 2012 2:54 pm
Location: MN
Contact:

Re: Form Spam

Post by Rob » Fri Jan 12, 2018 4:02 pm

The normal captcha seems to work on for me - for the sites that have it. Adding it back to the ones that don't to cut down on spam.

As an alternative - I wonder if it is possible to add a field that is hidden from the user but is set up to "require" that the field be empty. So if a robot tries to fill out the form it will want to fill in this field and the form won't work. Have not tried it myself but Thoughts?

I do assume there are a number of seo spammers who go to website portfolios and manually spam all the sites on there. Gotta get fancy to filter those out.
Small Business Website Design - BTWSB.net

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Fri Jan 12, 2018 4:47 pm

Pablo wrote:
Fri Jan 12, 2018 7:22 am
Maybe the messages were sent manually?
Or maybe you have another form on the website without recaptcha?
That was my first thought. I checked for it, nope its the only form, besides the php code has the captcha requirement. I was looking for a way to get the captcha response in a hidden field on the form so I could trace if the captcha was even executed.

I have heard some of chatter of "headless" browsers, where they can directly call the script and pass all the fields and in doing that sending a false value for the captcha.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Fri Jan 12, 2018 4:48 pm

Rob wrote:
Fri Jan 12, 2018 4:02 pm
The normal captcha seems to work on for me - for the sites that have it. Adding it back to the ones that don't to cut down on spam.

As an alternative - I wonder if it is possible to add a field that is hidden from the user but is set up to "require" that the field be empty. So if a robot tries to fill out the form it will want to fill in this field and the form won't work. Have not tried it myself but Thoughts?

I do assume there are a number of seo spammers who go to website portfolios and manually spam all the sites on there. Gotta get fancy to filter those out.
Great idea! I will try the alternative. Still getting a few spams from the same bot. Thanks.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Fri Jan 12, 2018 9:06 pm

Adding a hidden required field didn't not work. It prevented the form from submission and kept asking to complete the hidden field. Back to the drawing board.

User avatar
Rob
 
 
Posts: 166
Joined: Sun Jan 29, 2012 2:54 pm
Location: MN
Contact:

Re: Form Spam

Post by Rob » Fri Jan 12, 2018 9:50 pm

is the field "required to be empty" "data required" checked yes, min = 0, max = 0. Pablo, thoughts?
Small Business Website Design - BTWSB.net

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Fri Jan 12, 2018 10:37 pm

If you make it required you have to add a value. I just created an editbox, called it LastName, hid it, made it required, changed the min characters to 1 and the max characters to 1. Even added an initial value.

It still threw an error, that lastname needs to be filled.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Fri Jan 12, 2018 10:40 pm

I think that spammers are able to bypass any client side validation. I know they are going the script because I get their ip addresses from the script, but somehow they are only executing half the script, since the script also checks for the captcha validation and they bypass it.

User avatar
Pablo
 
Posts: 13012
Joined: Tue Mar 28, 2006 12:00 pm
Location: Europe
Contact:

Re: Form Spam

Post by Pablo » Sat Jan 13, 2018 7:43 am

Input validation uses JavaScript, so this can be bypassed.
Captcha is validated on the server (via PHP) this does not use JavaScript and they should not be able to bypass this unless there is a problem with reCaptcha (Google).
But if this was a known issue then you would expect that Google had already fixed this my now.

User avatar
Magical
 
 
Posts: 112
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical » Sun Jan 14, 2018 5:48 am

I cannot tell if they are going through captcha or not, maybe they validated once as a human and then have script which just checks the box. I tried to get around the captcha but could not.

How do I add a custom code validation after the ValidateEmail in the code snippet below for index.html? I couldn't find a hook in the ide to do any type server side validation. I will simply check if the message field has at least 40 characters , if not just kick it back.

$boundary = md5(uniqid(time()));

$header = 'From: '.$mailfrom.$eol;
$header .= 'Reply-To: '.$mailfrom.$eol;
$header .= 'MIME-Version: 1.0'.$eol;
$header .= 'Content-Type: multipart/mixed; boundary="'.$boundary.'"'.$eol;
$header .= 'X-Mailer: PHP v'.phpversion().$eol;
if (!ValidateEmail($mailfrom))
{
$error .= "The specified email address is invalid!\n<br>";
}

if (!empty($error))
{
$errorcode = file_get_contents($error_url);
$replace = "##error##";
$errorcode = str_replace($replace, $error, $errorcode);
echo $errorcode;
exit;
}

User avatar
Pablo
 
Posts: 13012
Joined: Tue Mar 28, 2006 12:00 pm
Location: Europe
Contact:

Re: Form Spam

Post by Pablo » Sun Jan 14, 2018 8:22 am

You can add custom code to the form via 'Custom Form Processing'.
See also the info in the help.

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests