Contact Form - Some bots can use the controller behind the form

[addison74]

Although I use the HoneySpam extension and the form has by default a hidden value (hideit) there are days when I receive a burst of 5 messages. In the web server log I found the following records:

156.146.63.148 - - [21/Dec/2021:09:22:29 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:29 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:30 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:31 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:32 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:32 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:33 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:33 +0200] "GET /contacts/index/ HTTP/1.0" 200 80182 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
156.146.63.148 - - [21/Dec/2021:09:22:34 +0200] "POST /contacts/index/post/ HTTP/1.0" 302 549 "https://www.mydomain.com/contacts/index/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"

If we look at the moment of accessing the links it is obvious that it cannot be a human operator it is a bot. It looks like a ping command using the contact form. For this IP address located in France only these records exist in the log form. I set up a filtering rule for Fail2Ban and it is banned by now.

Interesting is how it was able to send data with sexual content bypassing the default Magento protection and that of the HoneySpam extension. It is not a major problem but such a bot can saturate an inaccessible for a while mailbox by sending tens of thousands of messages. Most likely the controller has an issue allowing this. In the past I have shown that the one in the newsletter also has one, but a solution has been found and there is an open PR for it.

[fballiano]

well, the Mage_Captcha module is totally obsolete and I think nobody uses it... I think we should remove it and add another solution, maybe https://github.com/magento-hackathon/HoneySpam or maybe a reacaptcha?

[addison74]

I have been using HoneySpam for almost 2 years. I reported several issues and they were resolved quickly, I appreciate the development team but it's not perfect let's say 85%. Below are bots that go through the newsletter subscription form and the contact form, without accessing the website. Basically in webserver log I get only requests, one for accessing the controller (GET), another for transmission (POST) and the last one for returning to the initial page (GET). Magento has a big issue with the controllers that are behind these forms. Fortunately with the help of Fail2Ban I managed to fish 150 IP's every day but about 8-10 IP's still manage to send subscription confirmations to email addresses. We talked in this project about the responsibile controllers, we tried a few fixes, but it didn't work out.

We must evaluate any removal of the source code so as not to create trouble for the extensions already in use. In the case Mage_Captcha there may be extensions that use features from this module to get ready-made CAPTCHA features. I remember someone removed last year the JS library responsible for picking up a color and it affected my Advance Product Options extension used in stores.

I consider for Mage_Captcha there are already free extensions that do a better job. As for me I never used it because I found that it annoys visitors to take extra actions even necessary non-time consuming.

[addison74]

This is happening because the Contact From doesn't have CSRF validation. It is similar to this issue #1738.

[elidrissidev]

Are you willing to work on it? If not I'll do it this weekend.

[addison74]

I have nothing against you taking care of this PR, especially since you know what you have to do based on the other implementation for the newsletter form. If you need I can help you with ideas.

Once merged I will propose to remove the hideit field from the contact form. Firstly because it is useless, a lot of bots skip it and secondly I recommend the HoneySpam extension because it allows customizing the field name in the case of bots that fill out the entire form but skip hideit.

For more details please visit these links https://github.com/OpenMage/magento-lts/issues/1421 and https://github.com/OpenMage/magento-lts/discussions/2045