Open birdmedia opened 6 years ago
fritzmg
commented
6 years ago According to forum reports this also affects the honeypot captcha in Contao 4.4. Despite the honeypot being present, a lot of spam goes through. Though I have not yet witnessed that myself.
ausi
commented
6 years ago @birdmedia which version of Contao do you use?
birdmedia
commented
6 years ago The problem mainly occurs in Contao 3.5.3X
ghost
commented
6 years ago We observe the same in a few contact forms (3.5.3x) since about 2 months. I don't think there is a reliable general solution. For some cases, we have specific anti-spam code added via the prepareFormData hook - for example see https://wiki.fleckwerk.de/doku.php/contao/schnipsel/form_spam_russian As far I remember, a simple honeypot (extra field hidden by external css) did not work.
frontendschlampe
commented
6 years ago using madeyourday/contao-rocksolid-antispam will help to reduce the spammails
leofeyer
commented
6 years ago @birdmedia Can you provide an affected installation where we can analyze the log files?
birdmedia
commented
6 years ago Unfortunately, we removed every existing log file and disabled the creation of new log files (via chmod) due to GDPR compliance.
leofeyer
commented
5 years ago Since no-one can provide log files, I'm closing this ticket for now. Feel free to create a new ticket if you have the required log files.
bibib
commented
5 years ago Ich hätte hier eine Contao 3.5.3x-Installation, bei der trotz eingebundener Sicherheitsfrage (contao-rocksolid-antispam) seit Wochen viele Spamanfragen reinkommen. Braucht ihr die Server-Logfiles, seh ich das richtig? Ich würde die dann jetzt aktivieren.
Sorry, Fehler meinerseits. Das ist die normale Sicherheitsfrage.
frontendschlampe
commented
5 years ago @contao/developers what do you need to check the problem? Which information in access.log?
Toflar
commented
5 years ago I think for the honeypot it would be great to have the full POST request (headers, body, everything) so we can actually check if the bot really sends the correct data.
ausi
commented
5 years ago If you are using Contao 4.6, you can register a prepareFormData hook with a function like this:
$data = [
'post' => $_POST,
'server' => $_SERVER,
];
$captchaKey = array_values(array_filter(array_keys($_POST), function($key) {
return preg_match('/^captcha_[0-9]+$/', $key);
}))[0] ?? null;
if ($captchaKey) {
$data['captchaKey'] = $captchaKey;
$generateHashes = (new \ReflectionClass('Contao\FormCaptcha'))->getMethod('generateHashes');
$generateHashes->setAccessible(true);
$data['hashes'] = $generateHashes->invoke(new \Contao\FormCaptcha, $_POST[$captchaKey]);
}
file_put_contents(TL_ROOT.'/var/spam-log.txt', print_r($data, true), FILE_APPEND);After you received some spam, you can send me the /var/spam-log.txt file via email.
ausi
commented
5 years ago Analyzing a log file I noticed that the spammer didn’t send the captcha_X_name field at all which probably is something we should check for.
EDIT: no it’s not :(
We could add || !isset($_POST[$this->strCaptchaKey.'_name']) to https://github.com/contao/contao/blob/e79f4cb153e09f34c678e500b9031990b8bd81c5/core-bundle/src/Resources/contao/forms/FormCaptcha.php#L128
It seems like the standard spam protection "security question" can easily be solved by current (mainly russian) spam bots. The standard captcha function should therefore be replaced or at least the currently used operations should be modified.