Form Spam
Permalink
Hi All,
I have posted on this issue before - but thought that it was worth bringing up again, just to see if anyone else is running into this.
I have started getting a load of spam from my Captcha protected online forms on one of my Concrete5 sites, and have been pretty much unable to stop the flood (over a hundred submissions since last night). Most of the spam was coming in via Guestbook comment forms on my blog, and via the many recipes that are posted on the site. Today I disabled all the forms, and have started using discus - which has solved the issue with the comments.
That said, what seems to have happened now is that they have simply moved to using my contact form instead. (getting a spam roughly every 5 minutes currently).
I have tweaked the securimage.php file making the captcha image virtually unreadable
( See the form here:http://www.theroguegourmet.com/index.php?cID=444)...
but the spam continues.
I am going to let the site sit for now while I try to come up with a solution, but I wanted to see if anyone else is running in to this? Has somebody figured out a way around the securimage captcha? I can't imagine that a bot is reading that image - I can barely do it.
Does anyone have any thoughts?
I have posted on this issue before - but thought that it was worth bringing up again, just to see if anyone else is running into this.
I have started getting a load of spam from my Captcha protected online forms on one of my Concrete5 sites, and have been pretty much unable to stop the flood (over a hundred submissions since last night). Most of the spam was coming in via Guestbook comment forms on my blog, and via the many recipes that are posted on the site. Today I disabled all the forms, and have started using discus - which has solved the issue with the comments.
That said, what seems to have happened now is that they have simply moved to using my contact form instead. (getting a spam roughly every 5 minutes currently).
I have tweaked the securimage.php file making the captcha image virtually unreadable
( See the form here:http://www.theroguegourmet.com/index.php?cID=444)...
but the spam continues.
I am going to let the site sit for now while I try to come up with a solution, but I wanted to see if anyone else is running in to this? Has somebody figured out a way around the securimage captcha? I can't imagine that a bot is reading that image - I can barely do it.
Does anyone have any thoughts?
im not really sure, you could try updating secureimage, the new version was commited to the svn already,
Hopefully this will work. It occurred to me that the spam could be coming from a human being... I doubt it. The strangest thing about the content of the spam is that it is entirely gibberish - even the URL's are bad.
Example:
Your Name:
XYwtMhNBzieUqqfk
Really? what's the point?
Example:
wR6c3N wsbtclkglagq, [url=http://vaifjsruzkbe.com/]vaifjsruzkbe[/url], [link=http://xpekfpswwmnq.com/]xpekfpswwmnq[/link],http://fpxjibbmftsy.com/
Your Name:
XYwtMhNBzieUqqfk
Really? what's the point?
I went ahead and grabbed the extended field tool, and applied the Google reCaptcha tool for the time being.
It would be too bad if securimage was being consistently hacked though. I am mostly interested to see if this is a wider problem that folks are having. I haven't run into it with any of my clients (yet), but I want to be prepared with some solutions (like using Googles tool). It would be great to see the Google tool integrated into the guestbook application. Its really a useful block for any page you want to add comments to - but the spam issue for a site with hundreds of such pages (which is what I was dealing with) got completely out of hand to moderate.
It would be too bad if securimage was being consistently hacked though. I am mostly interested to see if this is a wider problem that folks are having. I haven't run into it with any of my clients (yet), but I want to be prepared with some solutions (like using Googles tool). It would be great to see the Google tool integrated into the guestbook application. Its really a useful block for any page you want to add comments to - but the spam issue for a site with hundreds of such pages (which is what I was dealing with) got completely out of hand to moderate.
Yes, there is a published exploit for PHPCaptcha. Even the latest version appears vulnerable :(
http://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage...
http://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage...
Hi,
We are still experiencing this problem. Has anyone figured out where this weird spam is coming from.
This is what we posted on the blog which was linked here:
"Thanks for this entry. We are getting some spam and guessed that it could be caused by this exploit. We removed read-permissions from “securimage_play.php” -file, but spam is still coming through. Is it possible that there’s another similar bug ?"
I think in our case this bug was not the right one. Are there any other bugs? Or does anyone have suggestions how fix this?
Thanks,
Raine
We are still experiencing this problem. Has anyone figured out where this weird spam is coming from.
This is what we posted on the blog which was linked here:
"Thanks for this entry. We are getting some spam and guessed that it could be caused by this exploit. We removed read-permissions from “securimage_play.php” -file, but spam is still coming through. Is it possible that there’s another similar bug ?"
I think in our case this bug was not the right one. Are there any other bugs? Or does anyone have suggestions how fix this?
Thanks,
Raine
I don't think there's a bug, I think its just the captcha routine we
used 2.5 years ago is now being handily broken.. we've got the
community working on it:
http://www.concrete5.org/about/blog/core-roadmap/captcha-and-antisp...
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
used 2.5 years ago is now being handily broken.. we've got the
community working on it:
http://www.concrete5.org/about/blog/core-roadmap/captcha-and-antisp...
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
I am having this problem also - gibberish on my guestbook comments. At a rate of about 4 an hour.
Any current solutions?
Thank you!
Any current solutions?
Thank you!
I started using Disqus and the Google captcha option offered in the
Enhanced forms addon.
Enhanced forms addon.
Thank you! I will try this and see what happens....Fingers crossed!
I know this isn't a very clean or smart answer but with 4 an hour I think you are looking for a "quick fix" until you have a "long fix"
There could be a larger problem with securimage but if they are just reading the not too strange font Concrete5 uses you could try this.
Either in
or if you have updated the installation it will be in
There will be a ttf file. It will be called something like elephant.ttf or AHGBold.ttf or something else I don't know about.
Download some wacky harder to read font from dafonts.com or something and place it in that same directory. Rename the current ttf font in there and rename your new font to whatever that old font was.
I know this isn't too pretty but it might give you a short term patch to solve the larger issue. Or it might not work at all. Figure it might be worth a shot.
There could be a larger problem with securimage but if they are just reading the not too strange font Concrete5 uses you could try this.
Either in
/concrete/libraries/3rdparty/securimage
or if you have updated the installation it will be in
/updates/NEWEST_VERSION_HERE/concrete/libraries/3rdparty/securimage
There will be a ttf file. It will be called something like elephant.ttf or AHGBold.ttf or something else I don't know about.
Download some wacky harder to read font from dafonts.com or something and place it in that same directory. Rename the current ttf font in there and rename your new font to whatever that old font was.
I know this isn't too pretty but it might give you a short term patch to solve the larger issue. Or it might not work at all. Figure it might be worth a shot.
Depending on your version you can also try removing or renaming securimage_play.php if your edition of Concrete5 still has it.
yes we have been tweaking the built in captcha with recent versions of
concrete5, if you haven't upgraded in a while you should.
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
concrete5, if you haven't upgraded in a while you should.
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
Thank you ! I have upgraded - so will try some other suggestions.
I don't believe the Concrete5 implementation of securimage includes the securimage_play.php file that appears to be described in this exploit.
Oh... just checked. The older ones do. Anyone viewing this you can remove or rename the securimage_play.php file to prevent this exploit. Although the audio for visually impaired will not function.
Oh... just checked. The older ones do. Anyone viewing this you can remove or rename the securimage_play.php file to prevent this exploit. Although the audio for visually impaired will not function.
Thank you!
I don't think this is related, but thought I'd post it here in case anyone monitoring has an answer...
We had a form on a page on our C5 5.5.1 site and started getting between 50 and 100 spam emails per day. We removed the form (it was no longer needed anyway, so we didn't bother with captcha). We're still getting 50-100 spam emails per day. I can't see how this is possible - there are no forms on our site now - anyone have any ideas? Thanks, Simon.
The URL of our form washttp://www.brighton.ac.uk/prc2012/index.php/call-for-papers/,... and we had installed the Form Tableless Layout - 1.1.1 add-on.
We had a form on a page on our C5 5.5.1 site and started getting between 50 and 100 spam emails per day. We removed the form (it was no longer needed anyway, so we didn't bother with captcha). We're still getting 50-100 spam emails per day. I can't see how this is possible - there are no forms on our site now - anyone have any ideas? Thanks, Simon.
The URL of our form washttp://www.brighton.ac.uk/prc2012/index.php/call-for-papers/,... and we had installed the Form Tableless Layout - 1.1.1 add-on.
Hi Guys,
I know this is an old post, but my websitehttp://devon-lodge-holidays.com... is getting majorly attacked by spammers via the footer email data capture form.
It didn't originally have a spam captcha, but I have since added this and it hasn't stopped or even slowed the the amount of Spam my client is getting.
Do anyone have any thoughts or solutions please?
I know this is an old post, but my websitehttp://devon-lodge-holidays.com... is getting majorly attacked by spammers via the footer email data capture form.
It didn't originally have a spam captcha, but I have since added this and it hasn't stopped or even slowed the the amount of Spam my client is getting.
Do anyone have any thoughts or solutions please?
I had a client that was recently hit with a bunch of form spam. All of it was originating from China. The client's business is based solely in New York so I used the hammer approach - I blocked all traffic from China.
No more spam.
It's not an elegant solution but it's highly effective if your business can afford it.
No more spam.
It's not an elegant solution but it's highly effective if your business can afford it.
Hi @apc123, thanks for the reply.
Can I ask how you can tell where it's originating from and how you blocked it?
Can I ask how you can tell where it's originating from and how you blocked it?
I went through the server logs checking the entry time versus the time the spammed was sent. Then I checked those IP addresses against ARIN (arin.net/whois/) to find out where they were originating from (China).
From there I blocked all of China at the DNS level. This client is using CloudFlare for their DNS so it is simple to setup this rule.
From there I blocked all of China at the DNS level. This client is using CloudFlare for their DNS so it is simple to setup this rule.
Hi APC, you might want to check out this solution at the bottom of a forum thread I started about this and so far "exchangecore's" solution has stopped all the spam, but only time will tell if it works permanently.
Thanks again
Thanks again
sorry, didn't add the linkhttp://www.concrete5.org/index.php?cID=622460&editmode=... I'm still evaluating it to see if it works, but so far (fingers crossed) it looks positive.
