Form Spam

This section is for posting questions which are not directly related to WYSIWYG Web Builder.
Examples of off topics: web server configuration, hosting, programming related questions, third party scripts.

Note that these questions will generally not be answered by the administrators of this forum.
Post Reply
User avatar
protectourlands
 
 
Posts: 443
Joined: Sat May 24, 2008 2:16 am
Contact:

Re: Form Spam

Post by protectourlands »

For what it is worth, I have discontinued using Google reCAPTCHA V2 and invisible. They no longer work for me. The WB CAPTCHA blocks everything.
User avatar
Magical
 
 
Posts: 111
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical »

Thanks. Planning on doing that. Got slammed today with spam.

http://securityaffairs.co/wordpress/56 ... cking.html

There is actually a paper on how to break the captacha by using the Googles' voice recognition api to solve the captcha.

“Let’s download the audio file and send it to Google Speech Recognition API. Before doing so, we will convert it to a ‘wav’ format, which is requested by Google’s Speech Recognition API. Now we have the audio challenge file and are ready to send it to Google Speech Recognition. How can this be done? Using (Google’s own) API,” continues the post.

And there is pay service
http://www.solverecaptcha.com/
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

@protectourlands
thanks for the info about google, i didnt know about such an issue! do you mean that even google team were not able to fight effectively against spam!?
User avatar
Rob
 
 
Posts: 179
Joined: Sun Jan 29, 2012 2:54 pm
Location: MN
Contact:

Re: Form Spam

Post by Rob »

Ok. I got a simple “are you human” QnA to work. Set a field required to 1 – be a number under general, 2 - validate default as a number and equal to the correct answer, 3 – set condition to allow the send button to work only when answer is correct. I think it worked with human entry. I am hoping this works with robot spam. Thoughts?
The Website Guy - MN
Small Business Web Design
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

rob, i did my own captcha, fortunately i'm not so famous as google guys, so robots did not pay attention to my existence and they did not discover my formulas :) -- seems they are a bit complex at the moment...
i think what you did should be enough, but i was in the urgent need to resolve it in a different way and helped me a lot against spam
User avatar
Magical
 
 
Posts: 111
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical »

I think any solution widely used will be widely vulnerable. A custom solution will probably work better as fewer people will focus on breaking it. But does it still have the same level of confidence when talking to clients. They all want that shiny google captcha.

I am thinking of a combination, invisible captcha followed by a server side validation.
User avatar
protectourlands
 
 
Posts: 443
Joined: Sat May 24, 2008 2:16 am
Contact:

Re: Form Spam

Post by protectourlands »

@protectourlands
thanks for the info about google, i didnt know about such an issue! do you mean that even google team were not able to fight effectively against spam!?
RZ

Several months ago I began receiving spam through V2 and Invisible when it hadn't been getting through previously. To me it seemed the bad guys figured out a way through. I internet searched this and didn't find anything, so I concluded Google didn't want this public until they could fix it. I never filed a ticket and always hoped it would get resolved. I switched back to WB CAPTCHA.

A few weeks ago I had a client complain about the complexity of "repeat these characters" WB CAPTCHA in a simple email newsletter signup form. I tried V2 again and no luck. I tried Invisible again and no luck. I even tried a hidden field and a javascript, hoping the spammers could not parse js and that didn't work. The client eventually had me remove the form.

In conclusion, the only way I have been able to absolutely prevent spam is to use WB CAPTCHA "Repeat These Characters". I was searching through the forum yesterday and found this string stating what appeared to be the same experience I had with V2 and Invisible. I don't believe I was installing the Google systems wrong, but I suppose anything is possible.

I see forms on the net all the time that do not use upfront CAPTCHA. I have read several articles on how this could be done but have no idea if they are effective. I did try the hidden field/js method and that did not work for me. I am open to any recommendations.
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

i think magical is correct, nothing is not vulnerable at all, as we are dealing also with humans (a weird specimen sometimes) and in that case they qualify as non-robots and if they want can manually spam all the time
so i have a combination/variant of more than one technique
fortunately spam has stopped -- but idiots are smart driving you crazy, unfortunately they are beyond of the captcha algorithm because there is nothing we can do with people with too much spare time
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

I concluded Google didn't want this public until they could fix it
how true i find this assertion!
private solutions are not the first target, i agree with this also (and this is the main reason why i opted for a private one, in my personal case i wrote my own captcha and silent captcha, fortunately it works, however i think if you already found a way and it works, do not change it unless you are searching for something different or specific to your scheme)
captcha is so catchy... so you need discrete ways to protect your forms
in just few words i agree with you
User avatar
Magical
 
 
Posts: 111
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical »

I really appreciate everyone's support and sharing your experience. Together we can only become stronger and better. I am learning more about captcha then i ever thought i would need.

A friend suggested I get a new sitekey and secret key. So I am going to give it one more shot, otherwise I will just keep the captcha as a honey pot and roll out my own solution underneath. Having it on the form will satisfy a key client requirement, having my own solution underneath will get me out of the clean up mess.

For the future it would be nice if WWB have an option to save the captcha response and send it in the email. Or have a choice between server side validation and client side validation fields, and "fake" required fields which are hidden and appear to scripts as required but should actually be blank.
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

forget the "fake" required fields, this is pretty outdated... since some time ago robots already know this
User avatar
[RZ]
 
 
Posts: 1914
Joined: Tue Nov 04, 2008 12:08 pm

Re: Form Spam

Post by [RZ] »

btw, forgot to mention, captcha should be constantly checked... (not an easy job, do not expect too much from freebies solutions)
User avatar
Magical
 
 
Posts: 111
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical »

Thanks for all the suggestions. I had a discussion with my ISP. Fortunately and I mean big time fortunately, there was an experienced guy manning the phones, and he asked me to make some changes.

1 - Have a custom script for submission - he had me add an onclick check to the submit button overriding its default behavior, and then another onclick which just returns true. Somehow this confuses some of the bots.

2 - Change the file extension to php from html. I had enabled a handler on the server which sent all html files through the php engine, but he had me change index.html to index3.php and disable the handler. He said this will hide your form from many of the bots, and if your page has php then the extension should be php.

Additional:
3 - Add a hidden field "Valid Captcha" with a default value of "Yes". Then in the onclick submit script set that value to "Null". In the php he wants me to redirect to a 400.html location if not Null. (have not done this yet).

Since I made the changes 4 days ago I have only received one spam mail. Just sharing in case it would help anyone.
User avatar
Patrik iden
 
 
Posts: 479
Joined: Wed Mar 24, 2010 9:07 pm
Location: Sweden

Re: Form Spam

Post by Patrik iden »

Hello, i also made my own kind of Captcha just using WWB fields and som PHP random number code.
It's a long time sense i did this but i'll try to explain if it helps.

1. So i have on field that i named captcha_question and in this field i have the following settings:

Name: captcha_question
Initial value: <?php $random = substr(number_format(time() * rand(),0,'',''),0,6); echo $random?>
Type: text (this can maybe be set to number).
Max. lenght: 0 (this can maybe be set to 6).

You can if you want change the value 6 in the PHP code and in that case also in Max. lenght.

Validation for this field is:
Mode: Default.
Data type: No Constraints.

The style for this field is so you can only see the random code (no borders, backgroud is transparent).
Then before this code i have just a text field whit the text like: Type this code in the box.


2. Now i have a second field named: catpcha_answer.
Typ: number.
Max. lenght: 6.

Validation:
Mode: Default.
Data type: Number.

Data required (checked):
Minimum: 6, Maximum: 6

Match:
This field must have the same value as: (the name of the captcha_question field).

And i think that's it. This way you will have to type in 6 didgits and only 6 didgits to the captcha_answer field
or else you will have an error. I gues this is like some type of hony trap.

Hope this can be of some help.

Regards

//Patrik.
User avatar
Magical
 
 
Posts: 111
Joined: Thu Dec 14, 2017 5:08 pm
Contact:

Re: Form Spam

Post by Magical »

Thanks for the detailed response. Appreciate it.
Post Reply