Blocked countries still forcing their way through

Hi,

I’m evaluating this plugin with the primary objective to reduce contact form spam. It’s highly unlikely that any legit request on our contact form is being performed from outside Germany. I see a lot of block events in the plugin log, and the amount of received spam has decreased. Validating the configuration using VPN, everything seems fine, I’m blocked when using VPN nodes from any forbidden country. But sometimes spammers still get through, despite using an IP from blocked country.

My config:

Block type: Redirect to other page
Block frontend: True
Block all countries except AU, CH, DE, LI, LU
Block backend: True
Block all countries except DE
Block individual pages: True (only contact form page selected)
Services: Some allowed

I’m using Contact Form 7 in combination with Flamingo. In Flamingo I’ll occasionally find some unblocked spam and the related IP (latest example: 92.223.106.xxx).

When checking this IP using the plugins built-in country check, I’ll find that the IP belongs to a blocked country, e.g.:

IP Adress 92.223.106.xxx belongs to Russia.
This country is not permitted to visit the frontend of this website.
This country is not permitted to visit the backend of this website.

Now when checking the server logfiles, the access patters reads as follows:

92.223.106.xxx - - [22/Mar/2022:12:14:35 +0100] "GET /kontakt/ HTTP/1.0" 302 0 "https://MYDOMAIN.de/kontakt/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "MYDOMAIN.de"
92.223.106.xxx - - [22/Mar/2022:12:14:35 +0100] "GET /error_http_403/ HTTP/1.0" 200 42832 "https://www.MYDOMAIN.de/error_http_403/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "www.MYDOMAIN.de"
92.223.106.xxx - - [22/Mar/2022:12:14:35 +0100] "GET /kontakt/ HTTP/1.0" 200 46904 "https://www.MYDOMAIN.de/kontakt/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "www.MYDOMAIN.de"
92.223.106.xxx - - [22/Mar/2022:12:14:36 +0100] "POST /kontakt/ HTTP/1.0" 302 0 "https://www.MYDOMAIN.de/kontakt/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "www.MYDOMAIN.de"
92.223.106.xxx - - [22/Mar/2022:12:14:37 +0100] "GET /error_http_403/ HTTP/1.0" 200 42832 "https://www.MYDOMAIN.de/error_http_403/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "www.MYDOMAIN.de"

So the first request to the blocked page is corrrectly being redirected. But the second one – all within one second – is not blocked, allowing the POST request on the contact form transmitting spam data – which even triggers another redirect, but too late.

Additional info: WP Super Cache is active.

Questions:
Anything wrong with my setup?
Does the plugin have any limitations when it comes to quick requests on the same resource?
Possibly a bug in the plugin?

Thanks for reading, appreciating any helpful response!