[Plugin: Fast Secure Contact Form] Flood of Spam via email via Contact form

I am getting 4 or 5 spam emails a week – I assume the captcha is a set of images and some spammers have worked them out so the bots can post?

I will try using form 2, thanks for the idea. Is there anyway to fix this properly?

It’s the best WP contact form

Rob

The spam was coming from each of my forms 1,2,3, so I presume they can get through easily no matter which form they are using. I have taken some rather drastic action and totally blocked Thailand from emailing … the IP address is always the same, but keeps changing at the end of it ( last 3 numbers).. sorry if there is anyone in Thailand who wishes to contact me genuinely but they will have to find me on twitter or g+ ….

I am having the same problem across one of my sites in particular. ON this site, they are mainly hitting the form on one page but they are doing it all day long. I use captcha and have never had a problem. Now I have gone from medium to high setting on captcha and adding email address a second time. NOthing is working and not even slowing it down. Please help Mike. Thank you:-)

i think what we have got to understand is that these are humans that sit all day long spamming. They paste rubbish into the text areas and I am going ot say that even thought thier email address looks false it will be a real email address. IF you have set your contact forms or email with an auto response ie SORRY OUT OF OFFICE TILL MONDAY then they have got your real email address and this can then be sold onto mailing lists.

I think this is the only reason they do it… they must be able to collect thusands of auto responding email addresses like this and I feel there is little we can do about it

This isn’t human – I’m 99% sure it is automated, and that somehow the Captcha is broken. I’ve also seen this form being spammed for the last week or so. The emails I am gettkng are very similar to the ones above – ie they’re coming from the same people.

Althoug hAkismet can catch the spam -that’s not the point. The spam should not be able to get around the captcha. Any other solutions (eg using Form #2) are temporary hacks, and not fixes.

So .. Fast Secure Contact Form is NOT secure, and needs an urgent fix.

I agree with benmoreassynt I’ve seen the same thing On a Joomla installation – the captcha’s had been cracked and then I guess progammed into spambots.
We need a new test if the person is human and it needs to be randon generated so it can’t be cracked.
I moved to Form 2 and so far no spam.

I have done some research on this:

There are a few types of spam you will receive:

Human spammers – they actually visit your form and fill it out including the CAPTCHA.

Spambot probes – sometimes contain content that does not make any sense (jibberish). Spam bots will try to target any forms that they discover. They first attempt an email header injection attack to use your web form to send spam emails. After failing that, they simply submit the form with a URL or embedded HTML, hoping someone will be phished or click the link.

Blackhat SEO spammers – looking for blog comment forms, contact forms, Wikis, etc. By using randomly generated unique “words”, they can then do a Google search to find websites where their content has been posted un-moderated. Then they can go back to these websites, identify if the links have been posted without the rel=”nofollow” attribute (which would prevent them contributing to Google’s algorithm), and if not they can post whatever spam links they like on those websites, in an effort to boost Google rankings for certain sites. Or worse, use it to post whatever content they want onto those websites, even embedded malware.

Human captcha solvers – The thing is that it’s easy and cheap for someone to hire a person to enter this spam. Usually it can be done for about $5 for 1,000 or so form submissions. The spammer gives their ’employee’ a list of sites and what to paste in and they go at it. not all of your spam (and other trash) will be computer generated – using CAPTCHA proxy or farm the bad guys can have real people spamming you. A CAPTCHA farm has many cheap laborers (India, far east, etc) solving them. CAPTCHA proxy is when they use a bot to fetch and serve your image to users of other sites, e.g. porn, games, etc. After the CAPTCHA is solved, they use a bot to post your form.

How to stop it?

Change the URL of your form: – This should immediately eliminate all spam sent directly to your form by spammers who have the URL of your webmail script in their databases. This could only be temporary if they come back to find it again, or maybe they wont.

Filter Spam With Akismet – The Akismet plugin comes pre-installed with WordPress now. First you will need to make sure that Akismet is activated using your WordPress.com API key. Once activated, Akismet helps to filter spam comments but it can also be used with Fast Secure Contact Form to label as “Spam” or block contact form submissions. There is a setting for this on the form edit page, and you can select to block or keep the messages.

Install Bad Behavior Plugin – The bad behavior plugin prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place.

Built in form defenses – such as hidden honeypot fields. if the spam bot fills it in, it IS SPAM, let them to the thanks page but do not send the email. There are some related options including session tokens fields, time delay, and randomization of methods. I might experiment with this in a future version.

I started using Antispam bee some time ago to help with the obvious problems. It does a good job for me. Most of my email problems are coming from a few countries…you know the usual ones. So, there is a setting to block countries based on their country code. I don’t get any business from the countries I referred to earlier so I have blocked them and that seems to be working well at the moment. Now obviously, if they were originating domestically, that solution would not work for me. Thanks.

This is driving me nuts. I have Akismet installed and active. It tells me that “Akismet is enabled and the key is valid. This form will be checked with Akismet to help prevent spam”.

I have set Fast Secure Contact Form Options to “block spam messages” for Akismet.

I still get about 20 spam messages a day. Akismet is not blocking anything even though it is active. Changing the settings doesn’t seem to make any difference.

I’ve noticed the spam messages tend to just be gibberish but not allways. Im going to try changing some other settings and let you know if i can stop this.

I liked using Fast Secure Contact Form but thinking of changing to a different plugin.

Just found that the word list for the captcha module used with this is fully available for public download.

https://mysite.domain/wp-content/plugins/si-contact-form/captcha/words/words.txt

is open to anyone to download – needs quick permissions change to prevent this, but since the wordlist is out there may need a new word list !

Can any one comment on if this is likely to increase vulnerability of this contact for to mass attack?

This CAPTCHA is not even using the word list, it only uses random characters.

Most people are not having any problem with this form and spam, but a few have become targeted for spam, so here is the best solution right now:

Install the “Bad Behavior” plugin with the http:BA key. – The bad behavior plugin prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place.

Thanks Mike, if it uses random characters then surely it must be spamming by a human?
I changed to using Form two and have had zero problems. I have the contact form on several websites and it was only 1 or 2 that were targeted.
If the problem comes back I’ll give the bad behaviour plugin a go

Rob

This is continuing to drive me crazy. I have over 6000 posts with this form on it and just can’t seem to solve the problem. I liked Mike’s answer about the “bad behavior” solution but then I read this problem people are having with it, “https://www.ads-software.com/support/topic/plugin-bad-behavior-blocking-google-bot “

I am not sure where to turn now….

PS: would you believe I got 2 more while typing this?

I’ve used FS contact form for over two years now and was quite impressed by it. But like most of you, couple of months ago I’ve started receiving floods of spam messages and till now found no solution to prevent it.

I’ve tried almost all the spam prevention recommendations but nothing seems to work.

The form is becoming useless and I am thinking I’ll have to switch to my own custom made if no solution exists.

any of you guys solved the problem?

We are still looking for a solution too. It is going to be a very costly, time consuming nightmare to remove all the instances of this across our sites and replace with something else. We are feeling the stress.