Receiving spam e-mails from HTML contact form

[brillarmory]

Hi all,

I am receiving around 1-2 spam emails a day from the embedded HTML contact form on my ZenCart page. I am wondering why this happens and if there is any way to eliminate the spam. Do you think adding a CAPTCHA would make it stop?

Using ZenCart v1.5.5e

[mc12345678]

Hi all,

I am receiving around 1-2 spam emails a day from the embedded HTML contact form on my ZenCart page. I am wondering why this happens and if there is any way to eliminate the spam. Do you think adding a CAPTCHA would make it stop?

Using ZenCart v1.5.5e

Unfortunately, spam is a part of business; however, frequent spam is just time consuming. There are a few options of things to do and it also may depend on how your existing contact_us page(s) are presented. There isn't really enough information provided thus far to lay out an option for your particular situation; however, I can say that depending on the template, it may not recognize the built in protections of ZC, it may be hidden via CSS but still be presented with in the HTML and not have any similar protections, could be that an ip address or some other consistent information needs to be blocked.

A captcha is likely to slow things down yes possibly to a grinding halt, but there may also be other solutions that don't interfere with a "true" customer's attempt to make contact.

[brillarmory]

Thanks for the insight. I used to receive only 1 spam e-mail a week, but it's increasing a lot now. Yesterday I received 5 spam e-mails. I will try the CAPTCHA and see if there's anything my coder can do. If I fix the problem I will reply here.

[RixStix]

I think the Spammers have found a way around the 'hidden field' that was implemented a while back because our instances of spam via the contact us form has increased.

That being said, I hate filling out Captcha forms on websites and will reserve that as a last resort for our customers.

[mc12345678]

There are a couple of other routes that have been suggested as well between time based form entry, verification that the requested email content is what is to be sent, an additional honey-pot, etc...

But the need to implement additional levels tends to follow what has already been implemented. I believe you've seen me discuss it before, but if a template implements the mega menu which tends to have a dropdown contact us form, then the method(s) some use to "hide" that form only visually hide it and does not remove itself from the html page. With such information still in the html page, the possibility is still there to populate the form and submit it...

Same kind of goes for the chosen honey pot verbiage... could reword it (ie use a define) such that the name of the field appears important but only to those that are looking where they "shouldn't".

Regarding timing, about the only time a valid contact us message should be able to be submitted quickly is if previous attempts have blatantly failed and there remains a desire to provide the information so a copy/paste method has been adopted...

[joannem]

I've been having frequent spam emails lately too. I'm using a responsive template, and I'm not sure what would have to be changed in the template to make it work. Anyone have any idea? I could have sworn I had seen something that I could choose to have it turned on or off, but for the life of me, I can't find it in admin.

I'm using version 1.5.5e

Thanks,
Joanne

[mprough]

Been seeing a great deal of this. I have been installing https://www.zen-cart.com/downloads.php?do=file&id=1455

However, if you don't want the captcha on your registration form (which I HIGHLY) recommend you don't put it there, then you need to make the following changes.

In Google reCaptcha v3.2\includes\classes\observers\class.google_recaptcha.php

Line: 22 replace

Code:

$pages_to_check[] =  'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK';

with

Code:

//$pages_to_check[] =  'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK';

Line: 42 replace

Code:

$event_array = array('NOTIFY_CONTACT_US_CAPTCHA_CHECK' => 'contact', 'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK' => 'create_account', 'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK' => 'review_text');

with

Code:

$event_array = array('NOTIFY_CONTACT_US_CAPTCHA_CHECK' => 'contact', 'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK' => 'review_text');

~Melanie

[joannem]

Isn't there something built in to the latest versions that won't submit the form unless they are logged into their account? I looked at the contact us files, and there is wording in them that makes me think it should be checking. And why isn't there an admin setting to turn it on or off?

[mprough]

Isn't there something built in to the latest versions that won't submit the form unless they are logged into their account? I looked at the contact us files, and there is wording in them that makes me think it should be checking. And why isn't there an admin setting to turn it on or off?

Yep, but it would appear that savvy spammers have added the proper response to their routine =(

[mc12345678]

Isn't there something built in to the latest versions that won't submit the form unless they are logged into their account? I looked at the contact us files, and there is wording in them that makes me think it should be checking. And why isn't there an admin setting to turn it on or off?

There is code that has been added to make it possible to act on whether a customer is logged in or not as well as for the email address to be prepopulated for those that are logged in...

There isn't anything built in the current 1.5.5f header_php.php file that directly prevents a visitor not logged in from sending a message...

One or more of the observers could be used or the header file directly edited: if not logged in, then redirect back to the page and present a message/error that must be logged in to contact you.