Possible bug w/ latest CF7: Spambots bypassing quiz

Hello

Same problem here. A lot of clients reports me the same problem happening just after the last update. A lot of spam from Russian spambots

Ciro

Hi Ciro,

If your web forms were using Google recaptcha, the lastest CF7 update disables them by default until a new API key is generated for version 3 of google recaptcha.

But that is NOT the issue we’re having.

We have disabled Google recaptcha and instead are using CF7 built in quiz capabilities and our log analysis shows spambots are able to submit the CF7 web form protected by a math equation within a tenth of a second of landing on the page. Here is an example apache log entry of a spambot:

93.190.138.231 - - [13/Dec/2018:21:02:59 -0500] "GET /contact-us/ HTTP/1.0" 200 61493 "/contact-us/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"

93.190.138.231 - - [13/Dec/2018:21:02:59 -0500] "POST /contact-us/ HTTP/1.0" 200 61620 "/contact-us/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"

Hi Steve

I updated the credentials for google recaptcha v3 but still some sites report high spambot usage.

Maybe it’s time to downgrade until a fix is available.

Regards
Ciro

Ciro, you should read the google recaptcha v3 terms as it requires some time to learn about the type of site visitors, etc. Check the forum here for more info.

Our issue is NOT w/ Google recaptcha but rather w/ CF7 quiz seems to be bypassed by spambots with a simple POST request.

@stevewest15, did you ever get this issue with the quiz being bypassed by bots resolved? I’ve been thinking of using a quiz instead of reCAPTCHA v3, but I don’t want to get a bunch of spam for doing so.

Hi, no unfortunately wasn’t able to figure out how these bots were bypassing the quiz challenge. Interesting enough, it was only from specific IP addresses (mostly in Italy) so I’ve blocked them at the firewall and that has cut the spam to only 1-2 per day which is manageable.

I’m hoping the CF7 team can chime in to see if they’ve seen automated bots bypassing the quiz challenge.

To me, 1-2 spam contact forms from bots is still unacceptable.

That is interesting that it was just a few IPs. That makes me think those IPs are associated with spammers that have come up with scripts that can solve at least some quiz questions.

If I look at the HTML put out by CF 7 for the quiz, the questions all have the class “wpcf7-quiz-label” which would make it easy to find them. If you are using a math quiz as suggested in the CF 7 documentation like:

[quiz math-quiz "12+48=?|60"]

it seems like it would be fairly easy–though much more work than the average spammer script does–to write a script that would grab the string with the class, strip the question mark, and run the equation to get the correct answer.

CF 7 is used on enough sites that it might be worth the spammers’ trouble to write such a script.

If you are using simple math quizzes, it would be interesting to see if converting to something a little more difficult to parse would stop the spammers’ scripts from defeating the quiz.

I’ve gotten interested in how the CF 7 quizzes perform since I’m not happy with the reCAPTCHA v3 in the current version and I’m looking for alternatives while still staying with CF 7, so I may give the quizzes a little real-world testing.