Increasing spam despite spam protection / security question

[birdmedia]

It seems like the standard spam protection "security question" can easily be solved by current (mainly russian) spam bots. The standard captcha function should therefore be replaced or at least the currently used operations should be modified.

[fritzmg]

According to forum reports this also affects the honeypot captcha in Contao 4.4. Despite the honeypot being present, a lot of spam goes through. Though I have not yet witnessed that myself.

[ausi]

@birdmedia which version of Contao do you use?

[birdmedia]

The problem mainly occurs in Contao 3.5.3X

[ghost]

We observe the same in a few contact forms (3.5.3x) since about 2 months. I don't think there is a reliable general solution. For some cases, we have specific anti-spam code added via the prepareFormData hook - for example see https://wiki.fleckwerk.de/doku.php/contao/schnipsel/form_spam_russian
As far I remember, a simple honeypot (extra field hidden by external css) did not work.

[frontendschlampe]

using madeyourday/contao-rocksolid-antispam will help to reduce the spammails

[leofeyer]

@birdmedia Can you provide an affected installation where we can analyze the log files?

[birdmedia]

Unfortunately, we removed every existing log file and disabled the creation of new log files (via chmod) due to GDPR compliance.

[leofeyer]

Since no-one can provide log files, I'm closing this ticket for now. Feel free to create a new ticket if you have the required log files.

[bibib]

Ich hätte hier eine Contao 3.5.3x-Installation, bei der trotz eingebundener Sicherheitsfrage (contao-rocksolid-antispam) seit Wochen viele Spamanfragen reinkommen. Braucht ihr die Server-Logfiles, seh ich das richtig? Ich würde die dann jetzt aktivieren.

Sorry, Fehler meinerseits. Das ist die normale Sicherheitsfrage.

[frontendschlampe]

@contao/developers what do you need to check the problem? Which information in access.log?

[Toflar]

I think for the honeypot it would be great to have the full POST request (headers, body, everything) so we can actually check if the bot really sends the correct data.

[ausi]

If you are using Contao 4.6, you can register a prepareFormData hook with a function like this:

$data = [
    'post' => $_POST,
    'server' => $_SERVER,
];

$captchaKey = array_values(array_filter(array_keys($_POST), function($key) {
    return preg_match('/^captcha_[0-9]+$/', $key);
}))[0] ?? null;

if ($captchaKey) {
    $data['captchaKey'] = $captchaKey;
    $generateHashes = (new \ReflectionClass('Contao\FormCaptcha'))->getMethod('generateHashes');
    $generateHashes->setAccessible(true);
    $data['hashes'] = $generateHashes->invoke(new \Contao\FormCaptcha, $_POST[$captchaKey]);
}

file_put_contents(TL_ROOT.'/var/spam-log.txt', print_r($data, true), FILE_APPEND);

After you received some spam, you can send me the /var/spam-log.txt file via email.

[ausi]

Analyzing a log file I noticed that the spammer didn’t send the captcha_X_name field at all which probably is something we should check for.

EDIT: no it’s not :(

We could add || !isset($_POST[$this->strCaptchaKey.'_name']) to https://github.com/contao/contao/blob/e79f4cb153e09f34c678e500b9031990b8bd81c5/core-bundle/src/Resources/contao/forms/FormCaptcha.php#L128