Suggestions to stop spam on contact form, with out using Captcha

cknight · August 4, 2022, 10:05am

Thank you all for your replies.

Although Teodor has been through everything on the website and found not injection code I think this spammer is directly using the API.

Because we use Office365 Exchange I have to have a dummy domain in plesk that I use to relay the emails through otherwise it tries to deliver the mail to the localhost. As soon as I delete this dummy domain the spam stops, however if I create a new dummy domain with different credentials, as soon as I send one request from my website the spam immediately starts! I have other sites using the same dummy domain smtp and they are not getting any spam so I’m guessing there is something out there thats watching the API of the domain concerned and as soon as a form is send it somehow starts spamming directing as you suggest the API.

I’d like to directly use O365 and I have read through the post of @vfn Email Not sending - hellllpppp
but for me the emails won’t go through. I’m a little confused as to how to get the more detailed error message out, all I get in the browser inspect is server error 500.

Lastly, the php function I used to use before DMX and Wappler had an anti spam function in the send script which checked to see if the function was being used locally of from another IP address, perhaps this is something that needs to be added to Wappler Send Mail?

cknight · August 5, 2022, 9:36am

By way of an update my ISP has checked everything at their end and found nothing.

I re-created the API file with a different name and used a 3rd party smtp company and the spamming has stopped. I can only presume something targeted/found the API file, remembered it name and somehow everytime I used it started sending spam through it directly!

Am I right in thinking no anti-spam measures on the actual form page would have stopped this and what in the future can be done to stop it happening again?

JonL · August 5, 2022, 10:11am

Yes…and no. The more anti-spam measures you enforce means that the spammer might just look for another victim and leave you alone.

You should protect you API endpoint as much as you can, but know that nearly all restrictions can be circumvented.

Restrict origin header
Rate limit it
Log IP of who is calling it and block automatically if it goes over the rate limit.

cknight · August 5, 2022, 11:50am

Thanks @JonL, can you direct to any info pages on how to implement the options you gave above?

Hyperbytes · August 5, 2022, 1:00pm

If the API call has properly setup honeypots then even calling the API directly should keep them out.
I will be publishing a module next week convering spammer protection (it’s in post production) which should protect the API action against being called directly

JonL · August 5, 2022, 3:11pm

Maybe it’s worth to wait for Brian’s tutorial as it will be a step-by-step.

Way better than me pasting a bunch of Stackoverflow links where you won’t be well received if you have questions because SO is one hell of a shit show

In any case the first line of defence should be rate limiting as it’s the only effective thing you can do to stop API abuse. Unfortunately you are using PHP and I am not versed on php packages for rate limiting.

George · August 11, 2022, 8:02am

3 posts were split to a new topic: Implement Server Connect rate limiting

cknight · August 6, 2022, 7:56am

Sounds great Brian, looking forward to watching it…

Hyperbytes · August 11, 2022, 7:32am

Released 8 modules of the new Wappler 5 course, bit earlier than i had planned but that’s life Still lots more to follow but though I should at least release up to the modules covering honeypots and spam protection. The technique is used on a registration form but would be exactly the same for a contact form.
The 2 modules are those headed Spam Bot and Registration Bot Protection which cover the blank honeypot and the coded honeypot.

Playlist: https://www.youtube.com/playlist?list=PLUjqTJN3byC9W9UFjsV9f9vefe_ZSFQfb

cknight · August 12, 2022, 7:20am

Thank you Brian for all your hard work.

cknight · August 12, 2022, 10:10am

Brian,

I have just one question…

On the second video where you create a session variable, if I were to unhide the input field which is set to have the value of that variable, should I see the variable string?

CK

Hyperbytes · August 12, 2022, 11:19am

Yes, if you change the input type to text you should see any content

cknight · August 12, 2022, 11:37am

Thought so…

In my case I don’t see any content. I have checked the new server action which generates the session and it looks correct.
As a test I added a set value using the UUID and I can see that value on my contact page but not the session.
When @Teodor did his version he created the session variable directly on the page via hand coded PHP, in that instance I was able to see the session variable in the input field.

I’m not sure whats going on as there no errors in the browser inspector either.

CK

Hyperbytes · August 12, 2022, 12:03pm

Yes but that was PHP, this is Node

did you remember to check the output icon for the set session step?

If that doesn’t fix it then run your API action directly form the workflows panel

You should see the UUID output

Hyperbytes · August 12, 2022, 1:01pm

Assuming you are using PHP (as your issue would be what PHP would do) we have a simple workaround. The problem is when using the PHP model the output option for set session does not actually do anything (been like that since day one, never fixed)

So for PHP 2 changes are needed

Firstly define the session variable in global

Add a second stage to the API action. a “set value”, also call it codegen

Assign it the value of the session via the picker, selection $_SESSION.codegen and check output

That should enable an output

A short video re extra steps required for PHP added

cknight · August 13, 2022, 12:55pm

Thank you so much Brian for your extra video and the explanation above, solutions works like a charm.
I look forward to seeing your future tutorials which really show in a real life enviorment what wapper can do!

CK

cknight · August 13, 2022, 1:00pm

One point I would like to make regarding the two hidden input fields created in order to implement Brian’s ‘Honey Pot’ solution.

Rather than use hidden fields you can use ‘d-none’ if using Bootstrap 4 or above, this renders the fields hidden but doesn’t let any smart spam-bot ignore a hidden field tag.

TMR · January 14, 2023, 6:42pm

I just went through this one today @Hyperbytes , seems to work just great, thanks for taking the time to make it.

TMR · January 14, 2023, 6:44pm

Will Wapplers ‘visually hidden’ check box not achieve the same…?

eh_gs · March 24, 2023, 10:12pm

Hello, I must say I didn’t go through all responses, but for what it’s worth, a way I’ve found to prevent spam on contact forms (at least to block lots of automated submissions) is to put your app (wappler or not) behind Cloudflare.

It is not a perfect solution, but it helps a lot.