Unstoppable contact form spam

hsweet · February 16, 2024, 12:22pm

I’ve been getting a steady stream of spam via my 2 grav website’s contact forms, despite all my efforts to stop it. This site has a honeypot field, a turnstyle captcha and a math problem.

So maybe the submissions were done by actual people not bots?

Except I got one the other day that was lacking the " What is 2 times three?: 6" field that I should see in any emails I receive from the form.

And the bastard was bragging about how good a spammer he is :" Message: This message got to you and I can help you get your ad message to millions of websites just like this."

classes: 'form-style form-surround'
cache_enable: false
title: Contact
form:
    name: contact
    action: /pushcart/_contact
    fields:
        name:
            label: Name
            placeholder: 'Enter your name'
            autocomplete: 'on'
            type: text
            validate:
                required: true
        email:
            label: Email
            placeholder: 'Enter your email address'
            type: email
            validate:
                required: true
        message:
            label: Message
            placeholder: 'Enter your message'
            type: textarea
            rows: 6
            validate:
                required: true
        honeypot:
            type: honeypot
        question:
            type: radio
            label: 'What is 2 times three?'
            options:
                sex: 24
                drugs: 6
                rock: 18
                roll: 3
            validate:
                required: true
                pattern: ^drugs$
                message: nope
        captcha:
            type: turnstile
            theme: light
    buttons:
        submit:
            type: submit
            value: Submit
        reset:
            type: reset
            value: Reset
    process:
        turnstyle: true
        save:
            fileprefix: contact-
            dateformat: Ymd-His-u
            extension: txt
            body: '{% include ''forms/data.txt.twig'' %}'
        email:
            subject: '[Site Contact Form] {{ form.value.name|e }}'
            body: '{% include ''forms/data.html.twig'' %}'
        message: 'Thank you for getting in touch!'
        reset: true
        display: thankyou
class: small

pamtbaau · February 16, 2024, 6:26pm

@hsweet,

There are plenty of people who are willing to submit forms for a few dollars a day. It will be hard to beat this kind if spam. Fortunately, this is not the bulk of spam.
Calling your honeypot field “honeypot” might not be a good choice. The generated field will be:
```
<input ... name="data[honeypot]" value="">
```

In my own custom form (not using Form plugin), I (try to) fool the javascript bots by naming the honeypot field “message” and the “message” field “subject”. When using the Form plugin it could be:

subject:
  label: Message
  placeholder: 'Enter your message'
  type: textarea
  rows: 6
  validate:
    required: true
message:
  type: honeypot

To fix the field switch you might need to override templates data.html.twig and data.text.twig, to reverse the name switch.

Not sure if this really fools bots, but I have no more spam: 90% is caught by honeypot and 10% by reCaptcha.

Topic		Replies	Views
Form validation.pattern for !URLs Forms & Blueprints form	5	1556	March 30, 2022
Anti bot in the contact form	7	607	July 15, 2021
Support on site development Support	3	435	July 16, 2018
Getting spam despite using reCaptcha	0	465	May 26, 2019
Form field of type 'honeypot' not invisible Forms & Blueprints	1	832	June 9, 2018

Unstoppable contact form spam

Related Topics