Still getting false positives

Hello,

We do see what you mean. It could be an issue with the verify() method of the extended WPCF7_RECAPTCHA class. This is something we will need to investigate further before pushing out a patch or formulating a more informative reply. Thank you for bringing this to our attention! We’ll leave this thread open until we come to a solid conclusion.

Hi there,

Thanks for your prompt feedback. One important thing to note is that we’ve adjusted the CF7 reCaptcha V3 spam score in the template’s function as follows:

// Reduce reCAPTCHA v3 Spam treshold to 0.1 to avoid false positives
// 0.0 (easiest = no spam protection works) and 1.0 (strictest = every submission will be marked as spam).
add_filter( 'wpcf7_recaptcha_verify_response',
	function( $is_human, $response_body ) {
		$score = isset( $response_body['score'] ) ? $response_body['score'] : 0;
		$threshold = 0.1;
		$is_human = $threshold < $score;
		return $is_human;
	},
	10, 2
);

This was due to the fact that we had so many false positives with reCaptcha V3. Maybe this somehow clashed with your V2 plugin? In any case, we have now removed this code block from our functions.php file and will observe if there are still submissions flagged as spam.

Just to follow up, even after removing the above mentioned customization, there are still messages flagged as SPAM in Flamingo. They are indeed spam but as mentioned above if the V2 challenge fails, the data should never be posted to the server.

Hello,

We’ve looked into this a bit and found the core of the issue. Contact Form 7 is using the wpcf7_submit (contact-form-7\modules\flamingo.php LN 7) hook to submit to Flamingo regardless if the submission is reCaptcha verified or not. So submitting a form without interacting with the reCaptcha will still submit to Flamingo but end up in the Spam “category”.

In that same file is a hook which could be used to prevent spam from being submitting at all ( by excluding it from the $cases Array passed to the filter ) but that may not be an optimal solution in all use-cases:

// The hook in Contact Form 7 in regards to what gets saved in Flamingo.
$cases = (array) apply_filters( 'wpcf7_flamingo_submit_if',
		array( 'spam', 'mail_sent', 'mail_failed' ) );

This is still something we’re investigating to see whether or not we can wait until the submission is reCaptcha verified before Flamingo grabs ahold of it. Excluding spam from the above array could be a short-term solution though.

Hi there,

Thank you so much for your detailed analysis and reply.

To me it is still not quite clear when exactly a submission gets added to the Flamingo spam category with reCaptcha V2. Every time the V2 challenge fails? For example, we had a false positive submission three times in the spam category and once in the Inbox category. Does that mean, the user failed the V2 challenge three times and succeeded on the fourth attempt?

For troubleshooting purposes it might be useful to log failed V2 captcha attempts in some circumstances, but in our case it just fills up the DB unnecessarily. Maybe it can be added as an option to the plug-in? E.g an option “log failed V2 captcha attempts”.

Thank you for all your efforts and happy Easter!

Hello,

Thanks again for bringing this to our attention. The latest update should fix these Flamingo issues by specifically looking for a recaptcha verification before adding anything to Flamingo. If you continue to have issues please reply back to this ticket and we may be able to look into it further. We’ll mark this thread as resolved for now, have a wonderful weekend!

Sorry for my late reply & thank you so much for the update. I’ve just deployed it and will monitor the results. Thanks again!