The contact form calls a PHP script to send the emails using PHPMailer. I tried reCAPTCHA, honeypot with no luck. I finally figured out that they were targeting the PHP file directly so I changed the name of the form and the spam stopped. I checked my logs and see they are now targeting the renamed PHP file. What can I do to stop the spam?
Edit: I tried posting the code but half of it posted as code and the other half had jumbled formatting. The form is just a simple and the PHP file is just a simple script using PHPMailer.
@Zinn
Bots would just get the page, scrape the input, and submit to backend. Only real way to fix is to verify captcha result, which isn’t happening here.
Leave the PHP code here to see what we can modify to help you (don’t forget that in the part where your email is, delete it and clarify “my email here”).
I’ve found that adding some form of cryptographic signature of the data submitted does surprisingly well. Heck… Even submitting with a hash generated from the fields pretty much does it. Obviously that’s easy enough to circumvent, but the average scam submission doesn’t bother with the effort.
I maintain like 18 sites, some of them actually getting decent traffic. Think I got like 2 scam submissions via contact the entire last year… And I think those may actually have been human scammers filling out the forms too.
Look… I know this is trivial to circumvent if you’re actually being targeted, but I just throw in a JWT that contains the origin in the payload. And that in the contact form as some data-* attribute, and add it to the submitted data (header or in body or whatever). On the receiving end, just do the typical token validation on it and reject if it’s missing.
Also, and IDK if this makes any difference, but I’ve switched to contact forms being sent via Slack instead of email. I just think it is more convenient.