FreewayTalk

3 replies to this thread. Most Recent

John Whittaker

2 Aug 2019, 12:10 pm

[Pro] Reducing SendForm Spam

Only indirectly connected with Freeway but I am hoping someone here will have suggestions. For some years I have been using SendForm on two sites, one for my part-time translation business (fairly pointless as my e-mail address is in a professional directory), another for the local church (people tend to use it for requesting christenings, weddings, etc.). Both are hosted on the same server in France. Initially I couldn’t make SendForm work, and the hosting technicians tinkered with the coding to make it work, updating it some years ago to comply with their new SMTP restrictions. E-mail address is required. Over the last couple of months, the church site has had a lot of spam, beginning with links to pornography, suggestions from ladies about what they would do on camera, and moving to pages of text in Chinese or Russian script, sometimes German, but mainly English using scientific/medical vocabulary but making no sense at all. The E-mails have a range of unlikely names, but mainly the suffic .ru . This is becoming problematic with about ten messages an hour. The other site, same server, has had none of this. I have checked the server so far as I can, and nothing has been tampered with (going by the dates and coding). My first inclination is to disable the SendForm for a time. My second is to make all fields required. My third is to look at Captcha options. Any suggestions on the best? Any suggestions as to what else to do?

John W.

John Whittaker

2 Aug 2019, 12:12 pm

P.S. I was looking at ReCaptcha and am aware of the instructions from SoftPress on making it work.

John W.

waltd

2 Aug 2019, 12:39 pm

If you have already enabled the “Honeypot” anti-spam feature in Send Form, then you may have gotten into the cross-hairs of the “room full of bored people” attack. It is stunningly inexpensive in some parts of the world to purchase this service, where actual people are paid to submit your form, thus circumventing any form of automated spam prevention. This service is done in bulk, on the off-chance that a form will lead to the payload appearing in public, as in blog comments or other “user generated content”.

If you haven’t enabled the honeypot, then do so, it can’t hurt, and it may give you some relief for a while.

Another thing that may give you some temporary relief is to rename (the filename, not the title) your contact form page. This will force the Send Form Action to generate a new form handler with a different filename. Many of the attacks that you can fall prey to are automated, and once the “room full of bored people” have solved your riddle, the solved form is passed off to the robots for further abuse. Changing the filename means that the robots get a 404 when they submit the form, since they won’t actually be visiting the site and filling it out, just injecting their own data into your form handler, having memorized the names of the fields they need to submit. Just this one change will give you maybe months of peace at a time, and then changing it again and again might continue to do the same.

To do this, navigate to your form page in Freeway, and look in the Page Inspector. The first field is the title, and the second field is the filename. Change that to something else, it doesn’t matter at all what, as long as it ends in .html. Throw some numbers and other crap in there. People won’t see that, and the machines that have memorized the old name will have to find the new one by scraping the links off of your other pages. Freeway will update the HTML for all the other pages in your site that have a link to the contact form, so when you next upload, a lot of pages will be updated. That’s why this is a cheap trick for you to try — you don’t have to think about it too much, and Freeway will do all the work.

If your hosting providers had to modify the generated Send Form PHP script, then you will have to figure out what changes they made, and do them again, or your form will stop working. It would be worthwhile to figure out what those were anyway, because you may be able to simply configure the Action so they aren’t needed. My guess is that they wanted you to send the mail with the form contents “from” a legal address on your domain, and the Action already has the ability to do this if you configure it correctly.

But it’s important to realize that this is an asymmetrical war that you really cannot win. You don’t have the resources or the time to fight everyone who wants to attack you this way, and as long as it remains inexpensive yet even a little bit lucrative for the attackers, they will keep doing it.

If you want to have the contact form, as a convenience for your actual visitors, you’re going to have to put up with these weirdos.

Walter

On Aug 2, 2019, at 8:10 AM, John Whittaker <[email protected]> wrote:

Only indirectly connected with Freeway but I am hoping someone here will have suggestions. For some years I have been using SendForm on two sites, one for my part-time translation business (fairly pointless as my e-mail address is in a professional directory), another for the local church (people tend to use it for requesting christenings, weddings, etc.). Both are hosted on the same server in France. Initially I couldn’t make SendForm work, and the hosting technicians tinkered with the coding to make it work, updating it some years ago to comply with their new SMTP restrictions. E-mail address is required. Over the last couple of months, the church site has had a lot of spam, beginning with links to pornography, suggestions from ladies about what they would do on camera, and moving to pages of text in Chinese or Russian script, sometimes German, but mainly English using scientific/medical vocabulary but making no sense at all. The E-mails have a range of unlikely names, but mainly the suffic .ru . This is becoming problematic with about ten messages an hour. The other site, same server, has had none of this. I have checked the server so far as I can, and nothing has been tampered with (going by the dates and coding). My first inclination is to disable the SendForm for a time. My second is to make all fields required. My third is to look at Captcha options. Any suggestions on the best? Any suggestions as to what else to do?

Freeway user since 1997

http://www.walterdavisstudio.com

Back to Top

John Whittaker

2 Aug 2019, 2:03 pm

Very many thanks for that, Walter. You have given me a strategic structure. Apart from amending filenames, my first job will be to compare the coding of the up-to-date Freeway SendForm output with what is actually on the site. The last time the technical people updated it, they only told me after they had done it and were not too specific what it was, apart from SMTP security. The form has its uses, during a time of interregnum when the church does not have a specific clergy person in charge, as different queries have to go in different directions, according to who is able to deal with it. Having said that, I am now in some doubt that e-mail is the best way of retrieving messages, particularly as I am dealing with an inbox holding six or seven accounts for different purposes. I have a vague memory of writing forms that delivered to a server-side text file. Must look at my books/notes from 20 years ago as that might be the answer.

John W.