Is there a way to check whether the honeypot is working?

[brandsis]

Since relaunching my website, with Form Block Suite included, I've been getting 1-2 contact form submissions a day that are clearly not 'real' submissions.

• Some have every single field completed but some do not.
• Many have every checkbox option selected.
• Most have "google" entered in the company field.
• In the textarea message field, I've seen HTML code. I've also had numerous instances of "Hello, I'd like to know the price" (and nothing else) in different languages – Hungarian, Croatian, Irish, Hawaiian and Catalan.

Here are a couple of examples...

Is there a way of checking whether the honeypot is working for me? And are there any options for additional security steps, via the config for example?

Many thanks.

[plain-solutions-gmbh]

First of all: Your validator is not working proparly. There is a 404 on the Javascript https://brandsistency.com/form/validator. Try to delete (first backup) your media and site/cache folder.

You can try the honypot by explore the form in your browsers inspector. Remove the stylings from the formfield__hpot class. Than you can see the input element, enter something and send the form. You shout now getting an error.

Or try to change type="search" to type="input" in the file site/plugins/kirby-form-block-suite/snippets/blocks/formcore/hidden.php for test reason. Let me know if that do something.

[brandsis]

Hi, Roman. I've deleted the media and site/cache folders in both my test (4.1.2) and production (4.1.1) sites. In both cases, after clearing cache etc, navigating to /form/validator still returns a 404.

I revealed the honeypot type="search" field and tried a submission with something entered there. I didn't get an error as such but the form would not submit. Clicking on the submit button simply did nothing and the page remained 'static'. However, clearing the field and trying to submit did display the "This field is required." error message. Perhaps not getting an error with the honeypot filled is due to the absence of /form/validator? At least I can tell that there is a blocker.

I haven't tried the input type change yet because I assume we need to get the validator working first?

[plain-solutions-gmbh]

Let's focus in the 404-error. It's essential to continue with your main problem. If everything works properly, Kirby should create symbolic links like this:

media/plugins/microman/formblock/formblock.js
media/plugins/microman/formblock/formblock.css

I'm sure these are available on your system, but it cannot be reached from the outside. In this case add the Options +FollowSymlinks in your htaccess.

[brandsis]

Hi, Roman. Here are my findings...

• In the folder media/plugins/microman/formblock I do see the file formblock.js in both my TEST and PROD environments.
• I do not see formblock.css but that's expected because I use my own styling and have not added the styling snippet in the head.
• I have added Options +FollowSymlinks into my .htaccess file (in both environments).
• I have cleared Kirby and browser cache. My PROD site uses Cloudflare for CDN and WAF and I have purged the Cloudflare cache as well.
• After all of that, navigating to /form/validator still returns a 404 (in both environments).

Just to confirm my setup...

• I have plugin version 4.1.3 installed (in both environments).
• Kirby version is 4.2.0 (in both environments).
• The code I have in my config.php files is as follows:

    'microman.formblock' => [
        'from_email' => ["form@brandsistency.com" => "Brandsistency website"],
        'translations' => [
            'en' => [
                'send_button' => 'Send message',
                'loading' => 'Send message'
            ]
        ]
    ],

The form works but I am still getting a couple of spam submissions from the PROD site each day.

Is there something else I'm missing?

(I have noticed that roughly half of the spam submissions are coming from two email addresses. In the short-term, is there anything I can do programmatically – in the config, for example – to block submissions from specific emails?)

[plain-solutions-gmbh]

Maybe your hosting could support you with the symlink problem.

I may have a solution, to block some email addresses. Put this into your config under microman.formblock;

'validation:before' => function (string $type, string $value, array $errors): array
  {
  if ($type === 'email' && in_array($value, ['inet4747@outlook.com', 'lucido.leinteract@gmail.com'])) {
    $errors[] = "Your Email is blocked!";
  }
  return $errors;
}

Let me know if this works...

[calebgrove]

Just a thought here (I'm having the same problem with the contact forms and spam on tjelectricinc.net). Looking at the source code for the /form/validate route, it will only route on a POST request. So, pointing a browser's GET request to that URL should return a 404 error, I think.

https://github.com/youngcut/kirby-form-block-suite/blob/6dad41d33d174ab8f9de6466866ea7de3afd3953/index.php#L61

If I send a POST request to my forms with debug mode on, I get another error that references invalid page object, which I suspect is just because it's a straight POST request with no payload?

[plain-solutions-gmbh]

Hi calebgrove. A good point:

@brandsis:

If you open https://brandsistency.com/form/validator directly in your browser, you'il get always a error 404. (Sorry, i forgot to mention it)

To check if the validator work:

• Open the contact page
• Open the devtool -> network
• Enter something in the first form field and press tab
• You see this:

Which means, your validator is working now! 🤗

@calebgrove

Your Validator works as well:

It's an expected behavior, that you get an error on a empty post request. That's because the payload contains (i.a.) the id of the form block.

But that doesn't solve the spam problem. 😢 I can only pointing to the workaround on this post. At the moment, i have no resource to implement a captcha tool, witch where the propers way to protection from spam.

[plain-solutions-gmbh]

...to hell with it: Spam protection (captcha) is included in v4.2.0. Please test it and let me know how it works....

[brandsis]

Thanks, Roman. I've tried v4.2.0 and the CAPTCHA works perfectly.

In parallel, I've managed to install Cloudflare Turnstile – I try to steer clear of Google products like reCAPTCHA. I've written some JavaScript to add the necessary Turnstile div into the form just before the submit button. And I've added the Turnstile scripts to the page template and some PHP for server-side validation. It seems to be working.

I'll try both solutions to see which UX I prefer. But many thanks for adding the CAPTCHA – it's a great addition to the plugin.

[brandsis]

Hi, Roman. I've tried the email blocking config code and, assuming I've done it correctly, it doesn't seem to be working. I added the code, so that this is what I now have in my config.php file...

    'microman.formblock' => [
        'from_email' => ["form@brandsistency.com" => "Brandsistency website"],
        'translations' => [
            'en' => [
                'send_button' => 'Send message',
                'loading' => 'Send message'
            ]
        ],
        'validation:before' => function (string $type, string $value, array $errors): array
            {
            if ($type === 'email' && in_array($value, [ 'inet4747@outlook.com', 'lucido.leinteract@gmail.com' ])) {
                $errors[] = "Your email address has been blocked.";
            }
            return $errors;
        }
    ],

Having cleared cache everywhere, I am able to make successful submissions if I enter those email addresses in the email field.

[plain-solutions-gmbh]

Not so fast. 😜 I've debug your example. Coming up in the next release 4.2.1. The example will be shonw as an example. The problem was. That the validation:before should be formblock.validation:before and is a part of hook.

[brandsis]

Roman, I've tried that in my localhost environment and submissions from 'blocked' email addresses are still getting through. I put into config.php exactly the same code you'd recommended before but with formblock. added in...

    'microman.formblock' => [
        'from_email' => ["form@brandsistency.com" => "Brandsistency website"],
        'formblock.validation:before' => function (string $type, string $value, array $errors): array
            {
            if ($type === 'email' && in_array($value, [ 'inet4747@outlook.com', 'lucido.leinteract@gmail.com' ])) {
                $errors[] = "Your email address has been blocked.";
            }
            return $errors;
        }
    ],

I can try in my internet-facing test site later but, in the meantime, have I missed something?

[brandsis]

I've now tried it it a public-facing site as well and the result is the same. 'Blocked' email addresses are still allowed through.

[plain-solutions-gmbh]

formblock.validation:before should be inside hookand not in microman.formblock.

[brandsis]

Hi, Roman. I now have this in config.php...

return [
    /* Other settings */
    'hooks' => [
        'formblock.validation:before' => function (string $type, string $value, array $errors): array {
            if ($type === 'email' && in_array($value, [ 'inet4747@outlook.com', 'lucido.leinteract@gmail.com' ])) {
                $errors[] = "Your email address has been blocked.";
            }
            return $errors;
        }
    ],
    /* Other settings */
];

...but submissions from those email addresses are still getting through. Have I not implemented it correctly?

[plain-solutions-gmbh]

Replace $type to $slug and give it another try. 😉 The hook methods of kirby, are a little bit special.

[brandsis]

Thanks, Roman. That's worked in that the listed emails can't submit anymore. But the error message doesn't display. Instead the page remains static – clicking the submit button does nothing.

That's not a big deal, though, because I'm not too worried about the user experience for spam emails! 😉