core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon contao

Increasing spam despite spam protection / security question

Open birdmedia opened this issue 6 years ago • 13 comments

It seems like the standard spam protection "security question" can easily be solved by current (mainly russian) spam bots. The standard captcha function should therefore be replaced or at least the currently used operations should be modified.

birdmedia avatar Apr 18 '18 13:04 birdmedia

According to forum reports this also affects the honeypot captcha in Contao 4.4. Despite the honeypot being present, a lot of spam goes through. Though I have not yet witnessed that myself.

fritzmg avatar Apr 18 '18 13:04 fritzmg

@birdmedia which version of Contao do you use?

ausi avatar Apr 18 '18 19:04 ausi

The problem mainly occurs in Contao 3.5.3X

birdmedia avatar Apr 18 '18 21:04 birdmedia

We observe the same in a few contact forms (3.5.3x) since about 2 months. I don't think there is a reliable general solution. For some cases, we have specific anti-spam code added via the prepareFormData hook - for example see https://wiki.fleckwerk.de/doku.php/contao/schnipsel/form_spam_russian As far I remember, a simple honeypot (extra field hidden by external css) did not work.

ghost avatar Apr 19 '18 15:04 ghost

using madeyourday/contao-rocksolid-antispam will help to reduce the spammails

frontendschlampe avatar Apr 19 '18 19:04 frontendschlampe

@birdmedia Can you provide an affected installation where we can analyze the log files?

leofeyer avatar May 17 '18 13:05 leofeyer

Unfortunately, we removed every existing log file and disabled the creation of new log files (via chmod) due to GDPR compliance.

birdmedia avatar May 17 '18 17:05 birdmedia

Since no-one can provide log files, I'm closing this ticket for now. Feel free to create a new ticket if you have the required log files.

leofeyer avatar Aug 30 '18 13:08 leofeyer

~~Ich hätte hier eine Contao 3.5.3x-Installation, bei der trotz eingebundener Sicherheitsfrage (contao-rocksolid-antispam) seit Wochen viele Spamanfragen reinkommen. Braucht ihr die Server-Logfiles, seh ich das richtig? Ich würde die dann jetzt aktivieren.~~

Sorry, Fehler meinerseits. Das ist die normale Sicherheitsfrage.

bibib avatar Sep 18 '18 13:09 bibib

@contao/developers what do you need to check the problem? Which information in access.log?

frontendschlampe avatar Nov 13 '18 14:11 frontendschlampe

I think for the honeypot it would be great to have the full POST request (headers, body, everything) so we can actually check if the bot really sends the correct data.

Toflar avatar Nov 13 '18 14:11 Toflar

If you are using Contao 4.6, you can register a prepareFormData hook with a function like this:

$data = [
    'post' => $_POST,
    'server' => $_SERVER,
];

$captchaKey = array_values(array_filter(array_keys($_POST), function($key) {
    return preg_match('/^captcha_[0-9]+$/', $key);
}))[0] ?? null;

if ($captchaKey) {
    $data['captchaKey'] = $captchaKey;
    $generateHashes = (new \ReflectionClass('Contao\FormCaptcha'))->getMethod('generateHashes');
    $generateHashes->setAccessible(true);
    $data['hashes'] = $generateHashes->invoke(new \Contao\FormCaptcha, $_POST[$captchaKey]);
}

file_put_contents(TL_ROOT.'/var/spam-log.txt', print_r($data, true), FILE_APPEND);

After you received some spam, you can send me the /var/spam-log.txt file via email.

ausi avatar Nov 13 '18 18:11 ausi

~~Analyzing a log file I noticed that the spammer didn’t send the captcha_X_name field at all which probably is something we should check for.~~

EDIT: no it’s not :(

~~We could add || !isset($_POST[$this->strCaptchaKey.'_name']) to https://github.com/contao/contao/blob/e79f4cb153e09f34c678e500b9031990b8bd81c5/core-bundle/src/Resources/contao/forms/FormCaptcha.php#L128~~

ausi avatar Feb 12 '19 22:02 ausi