Forums

Form captcha breached

Permalink
Guys

I have a customer with a contact form here:

http://www.clearviewbusiness.com/contact/get-touch/...

He is being bombarded with spam form entries. it seems to be bots breaching the captcha.

Does anybody have any ideas as to how this might happen and what might be done about it please?

Ian
igrieves
 
jero replied on at Permalink Best Answer Reply
jero
The underlying library that generates the CAPTCHA has I think received some attention from these ****** and they've spent a while reverse engineering the images and they can now do it automatically. The only solution is to use something that's a bit more robust, for example you could try installing reCaptcha and switching to that.

http://www.concrete5.org/marketplace/addons/recaptcha-captcha/...
igrieves replied on at Permalink Reply
igrieves
That has installed fine and seems to work. Lets se if the spam stops.

Thanks for your help.

Ian
jero replied on at Permalink Reply
jero
Hopefully that did stop the spam, however you may be interested in the (free) invisible recaptcha addon I just uploaded.

https://www.concrete5.org/marketplace/addons/invisible-recaptcha/...
igrieves replied on at Permalink Reply
igrieves
Thanks, I'll take a look.
Gondwana replied on at Permalink Reply
Gondwana
Here's a radically different approach:
https://www.concrete5.org/marketplace/addons/contact-form-no-links1...
jero replied on at Permalink Reply
jero
Interesting approach - however the site referenced is 5.6 and your addon is 5.7+.

It's probably no that hard to override the 5.6 block controller and make it check for links as yours does.
igrieves replied on at Permalink Reply
igrieves
Gentlemen,

Thank you all for your responses. I will investigate all three.

Ian
ConcreteOwl replied on at Permalink Reply
ConcreteOwl
You also have a fully exposed email address on your page that could easily be protected from spam bots by installing this free addon..
http://www.concrete5.org/marketplace/addons/automatic-email-obfusca...
Your exposed email even has the subject line added "subject=Enquiry from the Website."
linuxoid replied on at Permalink Reply
linuxoid
Ian,

My 2 cents...

The best way to prevent bot spamming and input injection attacks is to sanitize all form inputs (basically to strip all non text symbols, e.g. \n, \r) and to add a limit on the form submission frequency from the same IP, e.g. once every 1 or 10 minutes.

And yes, of course not to show any email address in plain text anywhere on site.