Weak CAPTCHA – Big Spam Problem

I will look into making a reCaptcha addon plugin. One of the things that always held me back from that is the lack of support for two forms on one page

Same here. On the pages that still have FS contact form with, with the settings you suggested, the spam continues. Now they are using inbox.ru.

The Captcha is the weak spot for sure. I hope you’re able to integrate it. I so prefer FS contact for to contact form 7

I have finished an option to use Google reCaptcha. The setting will be on the Security tab of the form edit menu. I even got it working with multiple forms on same page. I need to do internal testing for a couple days to make sure I did not break anything else, maybe I will release it Saturday.

I use it on my form now:
https://www.fastsecurecontactform.com/contact

@mikechallis,

We have also had a recent SPAM a increase problem, unfortunately containing a content most unsuitable for receipt in a “church context”. [Not that SPAM content is ever desirable.]

During my investigations into the issue I notice a couple of things:

1) You responded on another related thread about ability to soon use Google reCAPTCHA instead. Is your intent that this will be an alternate, full replacement of the Captcha feature?

2) I noticed the form is based around “SecureImage” Captcha, apparently, I believe, related to this: https://www.phpcaptcha.org/download/
Is it possible to update the scripts of that aspect alone, from the SecureImage OEM source? [Direct replacement?, or have you “tweaked” them (the PHP) for your usage?]
This is important because I notice the version included is your module appears to be old compared to the current 3.6.4, yours is only version 1.x? This is VERY important because older versions of this script are known to suffer from a Cross Site Scripting Vulnerability (XSS). Ref: https://www.redteam-pentesting.de/en/advisories/rt-sa-2016-002/-cross-site-scripting-in-securimage-3-6-2
As I notice the contents of the Captcha code in your distribution appear to be much older than this may make you vulnerable and possibly susceptible to bot attacks in an unanticipated way – will you update this to 3.6.4+?

We are now attempting to tackle the problem by turning OFF the current Captcha and instead deploying the WP-SpamShield plugin as it seems like a good solution and it claims compatibility with your plugin, and others. We will assess the effectiveness.

Any responses appreciated.

Tim
IT Admin on behalf of Sheddocksley Baptist Church

• This reply was modified 7 years, 10 months ago by Sheddocksley Baptist Church. Reason: Correct author contact reference

@sheddocksleybaptistchurch

The advisory for the cross-site scripting (XSS) vulnerability mentions that the vulnerability impacts version 3.2RC1 to 3.6.2 of Securimage, so versions older than that would not be impacted. To be sure, we checked version 4.0.45 of this plugin and it doesn’t contain the vulnerable code.

@pluginvulnerabilities,

Good to know and thanks for the confirmation. We have used the Fast secure Contact Form for many years so certainly hoped such an answer was possible.

However, personally, I have strong suspicion that some (other) exploit is present – it does seem too coincidental that such a wide expression of increased SPAM is reported in these forums than can all be attributed to “human” user origin? If this is the case I think it still suggests some kind of Semi-Automation of the process is occurring in order to produce the effect?

An example of one such attack on us was of Ukranian IP origin with the mail details claiming @mail.ru. These are common sources that I feel have an automated element – the sheer volume involved kind of makes the “human” aspect less credible?

Also, we are an inconsequential target in real terms it makes no sense as we are not “the big boys” to warrant any “personal” attention. It seems to be targeting some combination of software and WP platform – that all suggest “automation” and “bot” to me?

Thanks again.

Tim

People who are having the spam issue, please check this setting on the form edit page – Advance tab – Advanced Email Settings – “Send Email function”
Do you have it set to WordPress or PHP? (WordPress is default)
Also do you have the setting “Enable PHP sessions” enabled or disabled?
I want to find out if the problem is common to one of the settings or not.

@sheddocksleybaptistchurch
I made a branch off of Securimage PHP CAPTCHA many years back. From there I developed my own modifications and new features separate from their main branch. I would not be able to upgrade to their newer versions because the code base is so dissimilar now. At one point I removed the audio feature because someone published a way to solve the audio captcha with automation, I asked the programmer who published the audio solving code if there was a way to make it solve proof and he did not think so, so I removed the feature. I will be curious to find out if reCAPTCHA makes the problem go away

• This reply was modified 7 years, 10 months ago by Mike Challis.
• This reply was modified 7 years, 10 months ago by Mike Challis.

All of my sites are set to the default for both of those items.

We also have default SendEmail set to WordPress and PHP Sessions in default unchecked.

Thanks
Tim

@sheddocksleybaptistchurch
@beanthere22

Can you please message me here
https://www.fastsecurecontactform.com/contact

I would like to reply to you with my email address, then have you paste a couple of those spams into a reply. Make sure to copy the email headers also so I can examine them, thanks.

done

I examined some of the email headers and it looked like they were submitting directly from the form.

Try this new version and enable reCAPTCHA

4.0.46
(20 Jan 2017) – Added Google reCAPTCHA. By default, the original Secure Image CAPTCHA is enabled, but you can enable Google reCAPTCHA if you want. Just go to the form edit page Security tab – CAPTCHA Settings. Check the setting “Enable reCAPTCHA”, enter your Google reCAPTCHA keys for the site. Included is a link to get new free keys. Some users have reported a recent increase of spam on their forms, if you are having this problem, I suggest enabling Google reCAPTCHA.

I don’t know if this will add any insight or not, but I will share the commonalities of the spam origins.
I still have FS contact form installed on my contact pages. The issue was the contact form on my site’s sidebar. I am running 4 sites for one company and 2 of them suddenly received spam from the same 4 email address. Mostly mail.ru. Now they started using inbox.ru. They always used the same 2 pages to send spam using the sidebar. I replaced the sidebar contact form (FS Contact Form) with Contact Form 7 and the spam stopped. I want to put my FS contact form back.
Please advise when you have successfully added the Google re-captcha as that is very effective and I much prefer FS contact form. No more spam.

The Re-Captcha is not appearing on any of my contact forms.