Printable View
Hi all,
I am receiving around 1-2 spam emails a day from the embedded HTML contact form on my ZenCart page. I am wondering why this happens and if there is any way to eliminate the spam. Do you think adding a CAPTCHA would make it stop?
Using ZenCart v1.5.5e
Unfortunately, spam is a part of business; however, frequent spam is just time consuming. There are a few options of things to do and it also may depend on how your existing contact_us page(s) are presented. There isn't really enough information provided thus far to lay out an option for your particular situation; however, I can say that depending on the template, it may not recognize the built in protections of ZC, it may be hidden via CSS but still be presented with in the HTML and not have any similar protections, could be that an ip address or some other consistent information needs to be blocked.Quote:
Originally Posted by brillarmory
A captcha is likely to slow things down yes possibly to a grinding halt, but there may also be other solutions that don't interfere with a "true" customer's attempt to make contact.
Thanks for the insight. I used to receive only 1 spam e-mail a week, but it's increasing a lot now. Yesterday I received 5 spam e-mails. I will try the CAPTCHA and see if there's anything my coder can do. If I fix the problem I will reply here.
I think the Spammers have found a way around the 'hidden field' that was implemented a while back because our instances of spam via the contact us form has increased.
That being said, I hate filling out Captcha forms on websites and will reserve that as a last resort for our customers.
There are a couple of other routes that have been suggested as well between time based form entry, verification that the requested email content is what is to be sent, an additional honey-pot, etc...
But the need to implement additional levels tends to follow what has already been implemented. I believe you've seen me discuss it before, but if a template implements the mega menu which tends to have a dropdown contact us form, then the method(s) some use to "hide" that form only visually hide it and does not remove itself from the html page. With such information still in the html page, the possibility is still there to populate the form and submit it...
Same kind of goes for the chosen honey pot verbiage... could reword it (ie use a define) such that the name of the field appears important but only to those that are looking where they "shouldn't".
Regarding timing, about the only time a valid contact us message should be able to be submitted quickly is if previous attempts have blatantly failed and there remains a desire to provide the information so a copy/paste method has been adopted...
I've been having frequent spam emails lately too. I'm using a responsive template, and I'm not sure what would have to be changed in the template to make it work. Anyone have any idea? I could have sworn I had seen something that I could choose to have it turned on or off, but for the life of me, I can't find it in admin.
I'm using version 1.5.5e
Thanks,
Joanne
Been seeing a great deal of this. I have been installing https://www.zen-cart.com/downloads.php?do=file&id=1455
However, if you don't want the captcha on your registration form (which I HIGHLY) recommend you don't put it there, then you need to make the following changes.
In Google reCaptcha v3.2\includes\classes\observers\class.google_recaptcha.php
Line: 22 replace
withCode:$pages_to_check[] = 'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK';
Line: 42 replaceCode://$pages_to_check[] = 'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK';
withCode:$event_array = array('NOTIFY_CONTACT_US_CAPTCHA_CHECK' => 'contact', 'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK' => 'create_account', 'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK' => 'review_text');
~MelanieCode:$event_array = array('NOTIFY_CONTACT_US_CAPTCHA_CHECK' => 'contact', 'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK' => 'review_text');
Isn't there something built in to the latest versions that won't submit the form unless they are logged into their account? I looked at the contact us files, and there is wording in them that makes me think it should be checking. And why isn't there an admin setting to turn it on or off?
Yep, but it would appear that savvy spammers have added the proper response to their routine =(Quote:
Originally Posted by joannem
There is code that has been added to make it possible to act on whether a customer is logged in or not as well as for the email address to be prepopulated for those that are logged in...Quote:
Originally Posted by joannem
There isn't anything built in the current 1.5.5f header_php.php file that directly prevents a visitor not logged in from sending a message...
One or more of the observers could be used or the header file directly edited: if not logged in, then redirect back to the page and present a message/error that must be logged in to contact you.
Update: I added Google Recapcha to the Contact form. No one can e-mail me without clicking the Recaptcha box now.
Still receiving more spam than ever. I wonder how the bots are able to circumvent the Recaptcha...
Might be real person spammers or it's not installed correctly. Have a link to your website?Quote:
Originally Posted by brillarmory
https://www.brillarmory.com/index.ph...age=contact_usQuote:
Originally Posted by mprough
You make it real easy for spammers to find you, since you typed out your email addresses in full on the contact page.Quote:
Originally Posted by brillarmory
They are not using the form, but harvest the addresses form the page.
Those e-mails I typed out on my page get sent to my protonmail addresses; none of which have received spam yet. All of the HTML form inquiries are sent to my gmail account. All of the spam I receive is in gmail and uses the subject line "Website Inquiry from Brill Armory" -- which also tells me it's from the HTML form.Quote:
Originally Posted by Design75
Okay, then you have been lucky with the typed out addresses.Quote:
Originally Posted by brillarmory
Before you added the captcha, are you sure you had the extra hidden field in place? because I can not seem to find it now.
One thing that is missing is the honeypot. Should check for differences between includes/templates/theme692/templates/tpl_contact_us_default.php and the file of the same name in the template_default directory.
As to the recaptcha, not sure if there is now some sort of cookie associated with recaptcha or if it is site specific, but I know there is a site that I frequently visit that uses a recaptcha and I haven't been asked to select or enter the verification information in quite a while after clicking the check box...
In fact, when filling out the contact us form at this site, once I clicked the checkbox, it didn't ask for any further confirmation...
Thanks for the insight. I looked over this with my coder and he applied a fix. I haven't received any spam since he applied it days ago.Quote:
Originally Posted by mc12345678
Care to share the fix please?Quote:
Originally Posted by brillarmory
We added a couple of global filters into the server email system (cpanel) to check for 2 or 3 of the most common chinese or russian characters in the subject and/or body. If true, DELETE.
i recently added the google recaptcha and it works fine with no time delay, don't know if it will stop spam but it works fine.
Off topic I have a question:
how can I reverse the <send> <back> button on my contact form as they are oppisite from where they should be see https://www.airtightsecurityplus.com...age=contact_us
muscle memory wants you to hit the <back> button to send...
figured the button situation out thanks to lat9.
but the recapta is working fine