Jump to content

Simple Contact Form


justb3a

Recommended Posts

  • 1 month later...
  • 3 months later...

Lately, I'm getting lot of SPAM. I checked the log and even it detects the SPAM as FAILURE like "Honeypot field was filled" or  "Number of fields does not match" then 1 second later there is a SUCCESS.

Here is a log of "Honeypot field was filled":

23 hours ago
2023-06-13 07:38:44	[SUCCESS] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5042.0 Safari/537.36, 37.212.202.92, myemail@mysite.com

23 hours ago
2023-06-13 07:38:43	[FAILURE] Honeypot field was filled. IP: 37.212.202.92

Here is a log of "Number of fields does not match":

13 minutes ago
2023-06-14 06:24:52	[SUCCESS] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36, 176.124.220.43, myemail@mysite.com

13 minutes ago
2023-06-14 06:24:51	[FAILURE] Number of fields does not match. IP: 176.124.220.43

I'm also using reCAPTCHA but it seems that spammers have found a way to pass all these...

Link to comment
Share on other sites

@PWaddictHave not yet used SimpleForm myself. If a human scans a site and modifies a bot, most forms can automatically be filled I guess. Seems there is no counter for failed submits logged by IP or general wrong submits yet implemented, which would limit the amount of trials to lets say 5. Thats something I always want to have in frontend forms to protect my side against bots and script kiddies. FrontendForms and the pro module from Ryan do implement such protection by default if I remember right. 

How many failed trials were in the logs before the success message appeared? Only one failed, than success? That would be strange. 

Link to comment
Share on other sites

  • 2 weeks later...

@PWaddict I'm getting the same as you: either 'Number of fields does not match' or 'Honeypot field was filled', then followed by [SUCCESS] a second later. But this is happening with my own tests, so it's probably not so much clever spammers as much as something broken with recent PW updates. Any idea where this might be failing?

Link to comment
Share on other sites

On 6/14/2023 at 8:11 AM, cwsoft said:

How many failed trials were in the logs before the success message appeared? Only one failed, than success? That would be strange. 

Yes, only one failed and then 1 second later success!

10 minutes ago, strandoo said:

But this is happening with my own tests, so it's probably not so much clever spammers as much as something broken with recent PW updates. Any idea where this might be failing?

I didn't thought about the PW updates. On January, I've upgraded the one site I'm using this module from 3.0.165 to 3.0.210 but the frequent spam started on April if I remember correctly. No idea what is causing this issue. Don't forget that this is an abandoned module ?

Link to comment
Share on other sites

@Flashmaster82 I had a quick look at some forms on a few sites and it appears that under PW 3.0.210, a new hidden field is being inserted at the end of the form, just after the token field: <input type='hidden' name='_InputfieldForm' value='contact-form'/>. I suppose this is why the count is off, but I don't know why the form gets sent anyway. I found https://processwire.com/api/ref/inputfield-form/ that might explain it somehow.

Link to comment
Share on other sites

34 minutes ago, PWaddict said:

Yes, only one failed and then 1 second later success!

I didn't thought about the PW updates. On January, I've upgraded the one site I'm using this module from 3.0.165 to 3.0.210 but the frequent spam started on April if I remember correctly. No idea what is causing this issue. Don't forget that this is an abandoned module ?

Ok only one failed login followed by success is really strange. Haven't used simple form yet and build my forms with the core features so far myself. Maybe an update to the FrontendForms module from Jürgen may be an option, as it comes with lots of spam protection features out of the box.

Link to comment
Share on other sites

20 hours ago, cwsoft said:

Maybe an update to the FrontendForms module from Jürgen may be an option, as it comes with lots of spam protection features out of the box.

Currently I can't try it cause it requires at least PHP 8. I'm still using PHP 7.4 as I don't want to update yet without testing all modules to make sure everything works properly.

@strandoo so far we are the only ones that mentioned this issue and I notice that we both use your reCAPTCHA solution. Have you tested the form without the reCAPTCHA?

Link to comment
Share on other sites

@PWaddict

2 hours ago, PWaddict said:

Have you tested the form without the reCAPTCHA?

Yes, I was looking into this with a non-recaptcha form. I've got probably a dozen or more sites using SimpleContactForm, some probably now updated to 3.0.2xx, so I'd like to solve this! Yesterday, I noticed this error in TracyDebugger: 

PHP Notice: Undefined offset: 0 in .../modules/SimpleContactForm/SimpleContactForm.module:238

So when I get a chance, I'll try to see what that's all about.

  • Like 1
Link to comment
Share on other sites

Ok, I had a look and but couldn't figure out exactly what is going on. I'm filling in the honeypot to test and that's getting logged as spam, but isSpam doesn't seem to be working and I'm not clever enough to know why. But since SimpleContactForm + PW 3.0.210 is adding a hidden field (<input type="hidden" name="_InputfieldForm" value="contact-form">) where PW 3.0.200 isn't, I thought I'd try the replacing 210's InputfieldForm.module with the one from 3.0.200. Once I did that, no more hidden field and the spam filter works as expected.

So maybe someone more knowledgeable than myself can spot the difference and see if SimpleContactForm can be patched?

Link to comment
Share on other sites

Ok, more digging and I think I've got it. The InputfieldForm.module made at least 2 changes that effected the no-longer-supported-but-heavily-used SimpleContactForm (by me anyway):

1) it appends a hidden field at the end of your form ('$landmark', line 178). I don't know it's purpose, but I'll now see if I can subtract it from the field count in the Spam Protection of SimpleContactForm.

2) $form->getErrors() doesn't work the way it did previously. Thanks to a post by @da² that I came across, I've been able to use $form->getErrorInputfields() instead on lines 203 and 245 in the SCF.module.

For now, I'll just edit the module, but maybe there's a more elegant way to do it.

  • Like 2
Link to comment
Share on other sites

@strandoo I replaced $form->getErrors() with $form->getErrorInputfields() on lines 203 and 245 but now I'm always getting SPAM error when I'm trying to fill a form (even without filling the honeypot field) and on the logs I'm getting this: [FAILURE] Number of fields does not match. IP: 127.0.0.1

Link to comment
Share on other sites

@PWaddict Yeah, that's because the newer InputfieldForm.module creates a new hidden field before the closing </form> tag (<input type="hidden" name="_InputfieldForm" value="[your-form-name]">). The presence of that field throws off the 'spam count'. That's another anti-spam measure in the module which makes sure the total count of form fields is what is expected. See the comment around line 206. I tried to figure out how to target and exclude the new hidden field, but I gave up and just changed line 211 to '$excludeFields = -1;'. Not very elegant and of course, this will break the form if used on a pre-3.0.210 installation, but it gets it working until I can spend more time on it.

Link to comment
Share on other sites

@strandoo I changed the 211 line and now it works but if I try to submit the form without checking the reCAPTCHA I'm getting the error "InputfieldRecaptcha" instead of the "Failed reCAPTCHA input test" as it should be due to the following hook:

 $wire->addHookBefore('SimpleContactForm::processValidation', function(HookEvent $event) {

   $form = $event->arguments(0);
   $recaptcha = $form->get('recaptcha');

   // add error if not pass the reCaptcha test
   if (!$this->input->post->{'g-recaptcha-response'}) { // attach an error to the field
     $recaptcha->error(__('Failed reCAPTCHA input test')); // it will be displayed along the field
   }

});

 

Link to comment
Share on other sites

16 hours ago, PWaddict said:

@strandoo The above error text issue is caused by the 245 changed line.

I haven't tried these fixes on any of my forms with the Recaptcha yet. But I did try changing that line back to '!$form->getErrors()' (the original) and it seems to still work. By the way, are you getting 2 emails sent for every form submission?

Link to comment
Share on other sites

10 hours ago, strandoo said:

By the way, are you getting 2 emails sent for every form submission?

No, I'm getting just 1 email.

I've only changed the 203 and 211 lines and everything seems to properly work. Thanks for the help.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...