wp-blocks / cf7-antispam

☂️ A trustworthy antispam plugin for Contact Form 7.
Other
14 stars 4 forks source link

Humans are getting blacklisted #9

Open what-ri opened 2 years ago

what-ri commented 2 years ago

Hi Erik, I really like the plugin and the option to ban the IPs on multiple failed submissions.

I noticed quite a few legit submissions were trapped by the plugin and their IP was blacklisted. Even when we switched off all options and we only left "Enable anti-bot checks" , "Check IP on DNS blocklist" and auto-ban IPs on 10 failed attempts only. But some IPs got blacklisted after only 2-3 attempts instead of 10. So basically minimum checks were in place.

An example on submissions marked as spam that were legit entries:

Spam log: data_mismatch: Version mismatch '' != '0.3.0'; bot_fingerprint: timezone, platform, screens, user_agent, app_version, webdriver, session_storage, bot_fingerprint, hardware_concurrency, memory
Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/100 Mobile/15E148 Version/15.0
Spam log: bot_fingerprint: timezone, platform, screens, user_agent, app_version, webdriver, session_storage, bot_fingerprint, hardware_concurrency, memory
Mozilla/5.0 (Linux; Android 12; SM-A325F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36
erikyo commented 2 years ago

Thanks @what-ri for reporting this bug! Soon I will publish an Improved version of the plugin with the fix for this issue! Thanks again!

erikyo commented 2 years ago

(the spam log was very useful because I have actually had other similar cases.)

It seems that under certain conditions the fingerprinting challenge on mobile does not take place, as reported by what-ri sometimes after a failed attempt

adambichler commented 2 years ago

I found a similar issue: as most bad actors use a VPN to hide their identity, most of the VPNs out there will be listed on the blacklists soooner or later. So if any user uses a VPN while filling the form (and "Check IP on DNS blocklist" is activated), the form will not be able to be submitted. I'm not sure on how to fix this isse though, except by disabling "Check IP on DNS blocklist".

erikyo commented 2 years ago

@adambichler this does not happen to me (most of the bots that send me e-mails use botnet-infected computers) but good to know because in this case I lower the 'score_dnsbl' (or put a warning or similar).

the issue @what-ri reported (as far as I can see from the logs) was due to the fact that the form were reloaded but the data that the plugin add to hidden inputs to verify you are not a bot were not executed. Happens when cf7 is not in ajax mode and I think I have solved it