Spam emails from website forms
Permalink 1 user found helpful
Does anyone have any ideas to stop Spammers sending timewasting emails from one of my forms other than a Captcha, as there isn't the area to add one of these without it looking incongruous?
Yesterday my customer got 50 Spam emails, today they got 196. Just wondered if anyone has had a similar problem and how they resolved it, without using a Captcha?
Thanks
Yesterday my customer got 50 Spam emails, today they got 196. Just wondered if anyone has had a similar problem and how they resolved it, without using a Captcha?
Thanks
Thanks @madesimplemedia, however the form already has email validation and they are using our own email address.
If they are coming from a known IP address you can use the dashboard IP Address Blacklist to manage blocking of an IP. However, c5 only applied that to user accounts, so you will also need to modify the php for the form block receiver or the email sender to check the blocked ip list. Spammers tend to be more sophisticated about their IP addresses, so such an approach will only catch the most basic.
In php, adding anything to the receiver for the form that detects where the form was posted from and the history of recent pages and confirms all are from your site may also help block unsophisticated spammers (though if anyone wanted to code up a spammer to explicitly target your form, such a defense could be circumvented).
Ultimately, you have to trade off the amount of spam you get vs the hassle for users of a captcha.
In php, adding anything to the receiver for the form that detects where the form was posted from and the history of recent pages and confirms all are from your site may also help block unsophisticated spammers (though if anyone wanted to code up a spammer to explicitly target your form, such a defense could be circumvented).
Ultimately, you have to trade off the amount of spam you get vs the hassle for users of a captcha.
Thanks also @JohntheFish, I did wonder if IP address blocking might be an option, but I think the Captcha does sound like the best option.
It would be great if someone could create a simple add-on that would block suspicious website form usage - like bulk emails sent in a short space of time. I'm sure it must be possible to set a series of rules based on how spammers operate; "if this happens, then...etc" - that's above my pay grade though lol.
Anyway, thanks for your input guys.
It would be great if someone could create a simple add-on that would block suspicious website form usage - like bulk emails sent in a short space of time. I'm sure it must be possible to set a series of rules based on how spammers operate; "if this happens, then...etc" - that's above my pay grade though lol.
Anyway, thanks for your input guys.
There are several captcha addons, so you can test and find one that best suits your customer/users.
Integration of the ID blacklist with form response handling for the core form block or the mail helper would best be implemented as a pull request on the core.
You could check with the various extended form block developers and see if one of their addons already does something like that.
Integration of the ID blacklist with form response handling for the core form block or the mail helper would best be implemented as a pull request on the core.
You could check with the various extended form block developers and see if one of their addons already does something like that.
Hi John,
I have added a Captcha to my form now, but my websitehttp://devon-lodge-holidays.com... is still getting majorly attacked by spammers via the footer email data capture form. Literally every 2 mins!
Just wondered if you had any more thought please?
I have added a Captcha to my form now, but my websitehttp://devon-lodge-holidays.com... is still getting majorly attacked by spammers via the footer email data capture form. Literally every 2 mins!
Just wondered if you had any more thought please?
I haven't actually had to implement this on any C5 sites of my own yet, but many wordpress sites you can block a large portion of spam / DOS things by simply blocking anything that tries to access with an empty user agent. I do so with the htaccess file. Of course it may be worth looking at your access logs to determine if this would provide you any help or not.
Basically, since a majority of 'bots' don't bother to fully emulate a browser, you can weed many of them out.
.htaccess file
obviously you would put your existing rewrite rules underneath this so that if they do have an empty user string you don't even bother processing their request.
Basically, since a majority of 'bots' don't bother to fully emulate a browser, you can weed many of them out.
.htaccess file
Options +FollowSymLinks -MultiViews RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteRule ^ - [F]
obviously you would put your existing rewrite rules underneath this so that if they do have an empty user string you don't even bother processing their request.
Hi @exchangecore,
Thanks for the reply, I have attached a screenshot of what the typical log looks like, as I'm not quite sure what you are looking for in this?
Also, thank you for the code. Do I take it that the completed htaccess file with the inclusion of your code, should read as follows?:
I appreciate your help
David
Thanks for the reply, I have attached a screenshot of what the typical log looks like, as I'm not quite sure what you are looking for in this?
Also, thank you for the code. Do I take it that the completed htaccess file with the inclusion of your code, should read as follows?:
# -- concrete5 urls start -- <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME}/index.html !-f RewriteCond %{REQUEST_FILENAME}/index.php !-f RewriteRule . index.php [L] Options +FollowSymLinks -MultiViews RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteRule ^ - [F] </IfModule> # -- concrete5 urls end --
I appreciate your help
David
I was actually referring to your http access logs (usually found in your control panel with your webhost if you are on shared hosting).
As far as your htaccess file it would look something more like this:
As far as your htaccess file it would look something more like this:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteRule ^ - [F] # -- concrete5 urls start -- RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME}/index.html !-f RewriteCond %{REQUEST_FILENAME}/index.php !-f RewriteRule . index.php [L] # -- concrete5 urls end -- </IfModule>
I have applied this and will let you know if it works.
Fingers crossed and thanks again
Fingers crossed and thanks again
It appears to have slowed the amount of spam, but not stopped it so far.
unfortunately i'm not sure there's much more easy advice I could give you without taking a look at your access logs to try and find something else common between the submissions. If you'd like me to look into it further you can feel free to PM me since it's probably not the *best* idea to post your http access logs publicly anyway
Actually there have been no more logged in the last hour, so I'm hoping that's it!
But thanks for your very kind offer, I may take you up on that if that's okay and they continue? I will update you in 24 hours, thanks again bud.
But thanks for your very kind offer, I may take you up on that if that's okay and they continue? I will update you in 24 hours, thanks again bud.
Sure, if the .htaccess file actually resolves your issue be sure to mark it as the correct answer so future users know what solved the problem.
Sure, will do. Thanks again
Try this add-on, none of my clients get spam.
http://www.concrete5.org/marketplace/addons/automatic-email-obfusca...
BTW, the source code shows shed loads of errors.
http://www.concrete5.org/marketplace/addons/automatic-email-obfusca...
BTW, the source code shows shed loads of errors.
Errors? What sort of errors do you mean Steev?
View code with Firefox, you'll see what I mean.
Sorry, may as well be written Russian to me, can you be a bit more specific please Steev? Thanks
Steve,
your plugin looks like it works well for what it does, but i'm not sure it will help prevent someone from spamming submits via the form, since there is no listed email address. Unless i'm mistaken?
EC
your plugin looks like it works well for what it does, but i'm not sure it will help prevent someone from spamming submits via the form, since there is no listed email address. Unless i'm mistaken?
EC
All the spam I am receiving are random letters at Hotmail.com, for example this was the latest: qiaebskian@hotmail.com and all of the others are similar but different.
Hi EC, sorry it did slow the traffic down to a dribble for a while, but later in the evening the site just got hit big time again. I have removed the form from the footer now for a few days, to see if they just go away.
I did notice my hosts 1and1 went down also at the same time and apparently this was across the whole of 1and1 and no one could get access to their control panels and I wonder if they got attacked and locked-down (they won't say why, hmmmmm!) and if you think there could be connection???
I have backed up my sites since just in case.
I did notice my hosts 1and1 went down also at the same time and apparently this was across the whole of 1and1 and no one could get access to their control panels and I wonder if they got attacked and locked-down (they won't say why, hmmmmm!) and if you think there could be connection???
I have backed up my sites since just in case.
Interesting, I had 1&1 access issues yesterday with one of my accounts.
I highly doubt that you're receiving spam due to an attack on their servers. You are receiving spam due to the form on your website (at least that's been my understanding up to this point). It's not like they are just sending you spam email directly to your email account, I guess is what i'm getting at.
My next best recommendation would probably be to look at using a different CAPTCHA system. As mentioned in many other posts around the C5 site. I'd take a look at the reCAPTCHA add-on in the marketplace. It's free and may just solve your issues:
https://www.concrete5.org/marketplace/addons/recaptcha-captcha/...
Read through the documentation, looks pretty simple to implement.
My next best recommendation would probably be to look at using a different CAPTCHA system. As mentioned in many other posts around the C5 site. I'd take a look at the reCAPTCHA add-on in the marketplace. It's free and may just solve your issues:
https://www.concrete5.org/marketplace/addons/recaptcha-captcha/...
Read through the documentation, looks pretty simple to implement.
Yes, I'll give it a go, thanks.
Can you advise how you managed to resolve your client's spam issue? We are having the same problem at the moment. Many thanks in advance!
Can you advise how you managed to resolve your client's spam issue? We are having the same problem at the moment. Many thanks in advance!
Are all the fields required to be filled in?
You may be able to get at the HTML and use angularJS which has some nice options:
http://www.madesimplemedia.co.uk/news/form-validation-with-angularj...