Spam from my contact form despite using recaptcha - have I made a mistake?

3 replies · opened Jan 31, 2017

MMikeJan 31, 2017

I am using Canvas on hitechspeed.com. I have a simplified version of the contact form on the main page which sends me an email with the name/email of the person who filled out the form.

I am getting hundreds of messages every day (just started happening on Friday). I wasn't using ReCaptcha at first but I implemented it immediately, but it hasn't stopped the problem. I even deleted my keys and set up new ones in case it was my keys which had been compromised, but it wasn't that. So I am not sure what is going on.

I am capturing the IP address of the form submitter and it's coming from various IP addresses, mostly from the TOR network, so it's some sort of bot net. I would be very surprised if they are able to bypass ReCaptcha, and while I have made a couple of changes to the PHP file, they are only small changes (I added a field to the form, and captured the IP address in the PHP file).

The emails I am getting are like this:

Name: 5890eae6a19e8
Email: XXXXXX@comcast.net
Message: Subscribe
Form ID: mainform
Remote IP: 216.239.90.19

Where the email addresses are legitimate but always different. The name is always a similar alphanumeric number, increasing sequentially.

MMikeJan 31, 2017

Forgot to really ask a question. Just wondering if anyone has any ideas what's going on? I figured ReCaptcha would solve this, but it hasn't. I don't know if the QuickContact.php script has vulnerabilities or perhaps there is some settings I should check on the server? I can't figure out how a script is continuing to submit my form dozens of times per day despite ReCaptcha being implemented (I even set it to the strongest security setting on Google's ReCaptcha site and it made no difference).

MMikeFeb 2, 2017

Well, no response here (disappointing).

But I got it figured out. The ReCaptha implementation in Canvas is fatally flawed. The PHP files test for whether ReCaptcha was used on the HTML form with the following line of code:

if( isset( $_POST['g-recaptcha-response'] ) )

But if there is no ReCaptcha submitted with the HTTP POST, it continues to just process the form. So, for any malicious person or script or bot that wishes to bypass ReCaptcha, all they need to do is submit the form via an HTTP POST directly to the form action URL and ignore the ReCaptcha on the page. Then the PHP file will process the form with whatever data was submitted as if ReCaptcha was never there.

This is a major security flaw and oversight and I hope it will be fixed in an update.

SSemicolon WebSTAFFFeb 2, 2017

Hello,

We Really Apologize about the Delays in replying! Thank You so much for reporting this to us! We will release an Update shortly today. Meanwhile, please find the following code in the include/sendemail.php File and other PHP Files which processes forms:

// Runs only when reCaptcha is present in the Contact Form
if( isset( $_POST['g-recaptcha-response'] ) ) {
	$recaptcha_response = $_POST['g-recaptcha-response'];
	$response = file_get_contents( "https://www.google.com/recaptcha/api/siteverify?secret=" . $recaptcha_secret . "&response=" . $recaptcha_response );

	$g_response = json_decode( $response );

	if ( $g_response->success !== true ) {
		echo '{ "alert": "error", "message": "Captcha not Validated! Please Try Again." }';
		die;
	}
}

and replace it with:

// Runs only when reCaptcha is present in the Contact Form
if( isset( $_POST['g-recaptcha-response'] ) ) {
	$recaptcha_response = $_POST['g-recaptcha-response'];
	$response = file_get_contents( "https://www.google.com/recaptcha/api/siteverify?secret=" . $recaptcha_secret . "&response=" . $recaptcha_response );

	$g_response = json_decode( $response );

	if ( $g_response->success !== true ) {
		echo '{ "alert": "error", "message": "Captcha not Validated! Please Try Again." }';
		die;
	}
} else {
	echo '{ "alert": "error", "message": "Captcha not Submitted! Please Try Again." }';
	die;
}

This will definitely fix the issue with SPAM. Hope this Helps!

Let us know if we can help you with anything else or if you find any further issues.

Have the same question, or something new?

Sign in to the Canvas dashboard to reply or open your own topic. Canvas owners get direct help from the SemiColonWeb team.

Reply on the dashboard