Contact Forms being heavily spammed

11 replies · opened Mar 11, 2021

DDigitalEssenceMar 11, 2021

Hi,

all of my sites running Canvas are receiving large amounts of contact form spam and I am having to remove the contact forms from the sites.

The forms are all using Google reCAPTCHA v2.

I can't keep adding keywords to the spam list as the content of the emails keeps on changing. I'm not having any issues with non-Canvas contact form sites using reCAPTCHA V2 or V3 and this spam issue is specific to sites running Canvas.

If it is manual spam then they are all submitting almost identical content and are working 24 hours a day.

DDigitalEssenceMar 11, 2021

Update:

I removed the contact form from one of the websites and the spam kept on coming.

I've now renamed the /include/form.php and the spam has stopped dead.

Seems like it's not actually humans filling out the form but bots attacking the script directly. I have now changed this same file name on another site which is being heavily spammed and will report back if I see the spam has stopped (also change the html within the form to point to the new filename).

SSemicolon WebSTAFFMar 12, 2021

Hello,

Apologies for the Inconveniences caused!

According to your explanation, it appears that some websites have copied your Form HTML Codes or essentially entire website and thus their Form action uses your include/form.php to submit their forms. Try adding the following code at the top of your include/form.php File:
[ch_pre type="php"]$primaryhost = "oneillterrainservices.com"; //Your site url without http:// or https://
$currentreferer = $_SERVER['HTTP_REFERER'];

if ($currentreferer == "") {
$checkdomain = $primaryhost;
} else {
$checkdomain = parse_url( $currentreferer );
}

if( $checkdomain['host'] != $primaryhost ) {
echo '{ "alert": "error", "message": "Form not Submitted!" }';
exit;
}[/ch_pre]

This should prevent SPAM from other Websites. However, reCaptcha v2 if configured correctly should not cause this issue. Meanwhile, we are releasing an Update with fixes to reCaptcha v3 later tonight, so you can consider updating your Website and using the Latest Codes to try if this fixes the SPAM issue. We also recommend you to use SMTP instead of PHP mail().

Hope this Helps!

Let us know if we can help you with anything else or if you find any further issues.

DDigitalEssenceMar 12, 2021

Thank you, I have updated include/form.php with this code and will report back.

Also looking forward to the fixes to v3 tonight.

Regaridng updates, is it possible to release a file change list? I always have to run a compare on the whole HTML directory to see which files have changed.

Thanks.

DDigitalEssenceMar 12, 2021

Hi,

These changes have resulted in an immediate flood of spam and I have had to revert the file name back to xform.php to stop it. Please see attached image for the relevant numbers.

  1. Added new code to form.php and renamed the file on my server back to form.php. Uncommented the form on the website
  2. There was a spam email sent immediately (9)
  3. Sent a test email to the client via the form (8)
  4. Spam emails flood in
  5. I change the filename back to xform.php due to spam
  6. Spam stops (1 is the last spam email)

The form will not submit without the reCAPTCHA box being ticked.

SSemicolon WebSTAFFMar 13, 2021

Hello,

Thanks for the report and more information on this. Any chances, you could please let us know where this form is being submitted? You can find the URL at the bottom of the Form Response Email.

Additionally, we have attached the Updated Google reCaptcha v3 File here.

Hope this Helps!

Let us know if we can help you with anything else or if you find any further issues.

DDigitalEssenceMar 13, 2021

Hi,

it's showing as either:

This Form was submitted from the live site at: http://oneillterrainservices.com/#
This Form was submitted from the live site at: http://oneillterrainservices.com/

Let me run through the v3 file and test.

Thanks for looking into this. I've had to change the form to send emails to my spam account as the customer was getting a little peeved at the amount of spam in their Inbox!

SSemicolon WebSTAFFMar 13, 2021

Hello,

We have checked the Forms on your Website on the URL mentioned and all the standard spam protection works. The Honeypot Bot-Check works and the reCaptcha Works. Very weird that so many SPAM are coming through but this does look like Human SPAM. We will keep investigating. Thanks for your Patience.

Meanwhile, do let us know if we can help you with anything else or if you find any further issues with Canvas.

DDigitalEssenceMar 16, 2021

Hi,

just wanted to report that since changing to reCAPTCHA v3 we have not had one single spam message come through which is great news.

But, this kinda says to me that it was bot spam we were receiving otherwise the spam would continue.

SSemicolon WebSTAFFMar 17, 2021

Hello,

That's great to know! We will keep threading out more effective ways to prevent SPAM.

Meanwhile, do let us know if we can help you with anything else.

DDigitalEssenceJul 13, 2021

Hi,

we've seen an uptick in comment spam on all of our forms again. It is getting to the stage where I'm going to have to use some other method as my customers are kicking up a stink. We are using reCAPTCHA v3 on the forms.

One of the sites is: https://oneillterrainservices.com/

thanks.

SSemicolon WebSTAFFJul 14, 2021

Hello,

We have checked the Forms on your Website and they Codes appear to be fine. The standard Honey-Pot spam protection works and also reCaptcha 3. But please note that SPAM Bots are always evolving. SPAM that are coming through are not really Bot SPAMs but looks like Human SPAM which can’t be prevented directly. So, you can setup filtered words inside the include/form.php File. Simply find the $spam_keywords and setup your keywords.

Hope this Help!

Let us know if we can help you with anything else or if you find any further issues.

Have the same question, or something new?

Sign in to the Canvas dashboard to reply or open your own topic. Canvas owners get direct help from the SemiColonWeb team.

Reply on the dashboard