Spammer bypasses contact form. Captcha no effect.

[sumsel]

Hi folks,

 

I could use some help.

 

A chinese fraud and virus spammer has decided to send me tons of messages via contact form.

 

However he doesn't need the contact form to do that, and I have no clue how that is even possible.

 

How did I find out? I replaced the contact-form.tpl with a static html page which stated that due to spam the contact form was temporarily disabled. But I still got spam via contact form!! With no contact form even present in the shop!!

 

That sender seems to have a way to call the scripts usually used in the contact form to send messages, and does not need any forms.

 

I put the shop into maintenance mode. I didn't get spam then. At least something.

 

For obvious reasons, that is not my preferred permanent solution.

 

Then I searched this forum, and successfully found and implemented a recaptcha for my contact form. Put the shop back online. Got spam again. Put the shop offline.

 

What do I do against that??

 

Thanks for any hints.

[musicmaster]

When you fill in a form on a website and submit it is "received" by another piece of software.  It sounds like you disabled the form but not the receiving software. And that the spammer has build some software that simulates your form.

[sumsel]

Yes that is indeed what it seems like. So what do I do? I can live with a shop that doesnt have the contact form functionality. I tested disabling the email feature but that also disables all emails during product ordering, a no-go. I would like to disable selectively the email through contact form function. Any hints how I can achieve that? Of course a more advanced solution which really prevents this kind of spam would be better, but first things first. I want my shop back, without contact form spam. Hope somebody can help. Thanks!

[ziro1986]

Hi, 

 

I have exactly the same problem. Bot does not need a form to send spam. Any idea how to block it?

[musicmaster]

I hope you are aware of the Send-to-a-friend module spam problem and that it isn't that problem that you have. That module allowed spammers to use your site to send spam. By now there is an upgrade that solves the problem. https://www.prestashop.com/forums/topic/539185-somebody-sending-out-spam-using-the-send-to-a-friend-module/

 

As far as I can see the forms are processed in the file controllers/front/ContactController.php. You might want to change that file.

[sumsel]

Thank you. I have seen the sent to friend spam issue, and as I have never had the send to a friend function active, I concluded this was unrelated.

 

I'm currently experimenting with the contactcontroller.php and will post any results I may get.

[sumsel]

I am now trying the Hammer method, search and destroy. I renamed ContactController.php to _ContactController.php, with the intention of killing any process which would rely on this controller to work, hoping that sending spam through a bot is one of those processes.

 

This leads to a 404 error when somebody tries to open the contact form, no matter which content is in that contact form.

 

So I also unhooked the contact block from the DisplayNav position. For the average user, there simply is no contact form any more, and as our customer service email address is displayed on every page, I think that is no problem in itself.

 

Of course this method is the most dirty way thinkable, and I'm not entirely sure what else I have destroyed with this, so not a recommendation but merely a report what I'm doing to my shop. If I get more insights, I will post again. Should I forget to post, then that's a sign it may have worked as I intended

[ziro1986]

Sumsel, what PrestaShop version do You use? I've got this problem on version 1.4.3.

[sumsel]

1.6.1.7 here.

 

In the couple of hours since renaming the controller no spam has arrived, but an order has gone through and I received the email notification about that. Guess I will leave it like that, unless someome can point out a cleaner solution.

[ziro1986]

I do not know how this bot could send messages without a form, but I installed the reCaptcha module, and for that moment there is no spam.

[sumsel]

That's good then! musicmaster gave some hints how it may have been possible, for me the recaptcha didn't sort it out. So anyone reading this in the future has two options to test

[javior00]

exact same problem here, nothing seems to work the chinese fucker spammer still send the espam WHITOUT A FORM! how can that be posssible? did you find a solution?

[javior00]

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Edited May 17, 2017 by javior00 (see edit history)

[javior00]

Note: replace the src from step 2 for the corect url ( h t t p s : / /www.google.com/recaptcha/api.js) without the https spaces

Edited May 17, 2017 by javior00 (see edit history)

[nicecontrast]

Thank you - works in 1.6.1.11 on this solution: https://www.prestashop.com/forums/topic/442633-add-recaptcha-to-prestashop-version-16014-for-free/page-7

[DaveHorizon]

Thanks, it helped me to fight the chinese guy

[trevorgilligan]

that worked, thank you for the help ! have a nice day

[olivier75]

Great!
Works like a charm
:+1: !!

[olivier75]

On 17/05/2017 at 10:00 AM, javior00 said:

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Just missing quote so it would be : 

<script src='https://www.google.com/recaptcha/api.js'></script>

 

Edited February 19, 2018 by olivier75
mistake (see edit history)

[Nabahat]

On 17/05/2017 at 1:30 PM, javior00 said:

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Worked for 1.6.1.4. Thanks a lot.

[nberga]

Hi,

I follow these steps but now y contact form doens't work, what did i do wrong? 

[Place2]

On 22/02/2018 at 10:33 AM, nberga said:

Hi,

I follow these steps but now y contact form doens't work, what did i do wrong? 

 

try without "{ }" in ContactController.php like this

else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

and don't miss ' in  <script src='https://www.google.com/recaptcha/api.js'>

works on PrestaShop 1.6.0.11 

[patuga]

thanks for the tips Place2

 

on the contact_form.tpl file the  -> ' (inverted comma) was missing before the https link

on contact controller i removed the { } as well and now the contact form page opens again. let wait and see if the spammers get blocked

Edited February 24, 2018 by patuga (see edit history)

[TiaNex Shopping]

i have this problem too,

i have record the ip address of the spam sender ,then add the ip address to the blacklist  in  iptables (linux server)

this way worked well,

https://www.vicoffers.com/en/blog/4_ban-prestashop-spam-contact-message.html

Edited February 26, 2018 by VicOffers (see edit history)

[Atocx]

On 24.2.2018 at 11:07 AM, Place2 said:

 

try without "{ }" in ContactController.php like this

else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

 

 

Hi, 

I tried both with the curly braces and without. 
Do I need to replace the "else if"-statement that sits after this line: $this->errors[] = Tools::displayError('Bad file extension');

or do I just place it in front of the else and if statements?

Maybe someone has a screenshot of how it should be looking ? 

 

 

 

Edited February 26, 2018 by Atocx (see edit history)

[kerintis]

I have renamed controlled and still getting spam, no form, no module.

Customer e-mail address: [email protected] Customer message: Пoздравляем cчaстливчика:) Дoброгo врeмeни cyтoк. С рaдоcтью coобщaeм Вам o том, что : Heсколько днeй назaд Bы cовершaли on-line заказы (тpанзакции), и единствeннaя из них была выбрaна победителем coциальнoй прoгрaммы. Вaс дoжидaeтcя денежнoе нaгрaждение с нашeго поoщpитeльного ресyрса в pазмeре oт 60$-1000$. Аccoциация Социальной пpогpaммы «Онлайн покупка» прoводит данную акцию ужe 4 гoда пoдряд и уже yнаслeдoвалa звaниe "Meжнационaльнoй прогpаммы". Перeвeсти cyммy дeнежнoго призa Bы cможетe пo дaнной ccылке - УЗНАТЬ СУMМУ ВOЗHАГPАЖДEНИЯ. Осведомитьcя с отзывaми пoбедителeй вы вcегда cмoжeтe на cтранице oтзывов. Order ID: - Attached file: -

I am damn confused and pissed of this spam stuff.

[TiaNex Shopping]

6 hours ago, kerintis said:

I have renamed controlled and still getting spam, no form, no module.

Customer e-mail address: [email protected] Customer message: Пoздравляем cчaстливчика:) Дoброгo врeмeни cyтoк. С рaдоcтью coобщaeм Вам o том, что : Heсколько днeй назaд Bы cовершaли on-line заказы (тpанзакции), и единствeннaя из них была выбрaна победителем coциальнoй прoгрaммы. Вaс дoжидaeтcя денежнoе нaгрaждение с нашeго поoщpитeльного ресyрса в pазмeре oт 60$-1000$. Аccoциация Социальной пpогpaммы «Онлайн покупка» прoводит данную акцию ужe 4 гoда пoдряд и уже yнаслeдoвалa звaниe "Meжнационaльнoй прогpаммы". Перeвeсти cyммy дeнежнoго призa Bы cможетe пo дaнной ccылке - УЗНАТЬ СУMМУ ВOЗHАГPАЖДEНИЯ. Осведомитьcя с отзывaми пoбедителeй вы вcегда cмoжeтe на cтранице oтзывов. Order ID: - Attached file: -

I am damn confused and pissed of this spam stuff.

why not try my way, 

[piterd]

Problem solved!!

Thanks javior00!!

[Mitsos QAS]

A simple solution that worked for me:

Go to Preferences-->SEO & URLs and modify the contact page. In the Rewritten URL change contact-us to contact.

The contact form will still work under the new URL but if you look at your online visitors the spammer gets a "pagenotfound"

P.S.: I also have slidecaptcha on this form but didn't solve the problem

P.S.2: IP blocking won't work cause it comes from all over Eastern Europe (Russia, Moldova, Ukraine, Kazakstan, Belarus,...)

[epsilongr]

14 hours ago, Mitsos QAS said:

A simple solution that worked for me:

Go to Preferences-->SEO & URLs and modify the contact page. In the Rewritten URL change contact-us to contact.

The contact form will still work under the new URL but if you look at your online visitors the spammer gets a "pagenotfound"

P.S.: I also have slidecaptcha on this form but didn't solve the problem

P.S.2: IP blocking won't work cause it comes from all over Eastern Europe (Russia, Moldova, Ukraine, Kazakstan, Belarus,...)

me too ,but today probably they found it again. i just received the same russian spam mail

[adversor]

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

[TiaNex Shopping]

On 2/28/2018 at 7:31 PM, adversor said:

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

 

it turns out this way will work ,please try it,

i have add about more than 200 ips, i don't receive spam now,

https://www.vicoffers.com/en/blog/4_ban-prestashop-spam-contact-message.html

 

here is my blacklist,

you can use 

ipset restore -f blacklist.txt

to restore the blacklist to your server,then gather ip addresss and add manually 

blacklist.zip

 

Edited March 1, 2018 by VicOffers (see edit history)

[adversor]

3 minutes ago, VicOffers said:

you can ban these ip, it works,

i have add about more than 200 ips, i don't receive spam now,

https://www.vicoffers.com/en/blog/4_ban-prestashop-spam-contact-message.html

Don't think this is a solution. Tomorrow you can add 200 new ips.

[TiaNex Shopping]

10 hours ago, adversor said:

Don't think this is a solution. Tomorrow you can add 200 new ips.

 

yes,it will work, but it's hard to add too many ip address manually,

the spammer stop sending message to me now , i think he can't controller so many ip address , hundreds at most  maybe,

 

there are 3 ways to ban the spammer,

1.block all the ip address  

2.it's a temp method to change the controller url

3.maybe it's a good way to add the Captcha if it works

Edited February 28, 2018 by VicOffers (see edit history)

[h webmaster]

Hello,

I tried the SEO solution and recaptcha but she did not solve this problem from contact and inscription form.

Thank you for help

[tuk66]

22 hours ago, adversor said:

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

[adversor]

1 hour ago, tuk66 said:

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

Thanks, works so far for me.

[ilovekutchi.com]

Changing the SEO-URLs and the .htaccess solved the issue, for now...

PS: I had to delete the folder cache/smarty/cache/blockpermanentlinks_header/ to update the link to the contact form.
version 1.5.6.2

Edited March 1, 2018 by ilovekutchi.com (see edit history)

[TiaNex Shopping]

6 hours ago, adversor said:

Thanks, works so far for me.

will the contact form still work in this way ?

[ilovekutchi.com]

mine is working.

PS 1.5.2.6

[Rynraf]

I had the same problem.

Check official solution on http://forge.prestashop.com/browse/PSCSX-9132 and GitHub: https://github.com/PrestaShop/PrestaShop/pull/8168/files

[adversor]

3 hours ago, VicOffers said:

will the contact form still work in this way ?

yes, still working.

[adversor]

2 hours ago, Rynraf said:

I had the same problem.

Check official solution on http://forge.prestashop.com/browse/PSCSX-9132 and GitHub: https://github.com/PrestaShop/PrestaShop/pull/8168/files

I tried this before, not working for me. PS 1.6.1.1 with warehouse template.

[Bweber]

Hi i have the same problem with emails from Russia , Even i do not have the contact from . As far as i understood the solution posted above is just for Presta 1.6 and not for 1.7 . Is there a solution for 1.7 as well ?

 

 

[TiaNex Shopping]

9 hours ago, Bweber said:

Hi i have the same problem with emails from Russia , Even i do not have the contact from . As far as i understood the solution posted above is just for Presta 1.6 and not for 1.7 . Is there a solution for 1.7 as well ?

 

 

hello,the same way,you need modify the code of module contactform  instead of  contact form controller,

 

[babymaxi]

On 3/1/2018 at 11:08 AM, tuk66 said:

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

 

Worked instantly for me on 1.6.1  ... Thanks a lot TUK66!

[lordshop]

Prestashop Version 1.6.11

I had the same problem with spam messages from Russia (@mail.ru) spammer

I have made the updates described here https://github.com/PrestaShop/PrestaShop/pull/8168/files (as stated before)

....and problem solved. No more spam messages.

 

[nberga]

On 24/02/2018 at 10:07 AM, Place2 said:

 

try without "{ }" in ContactController.php like this

else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

and don't miss ' in  <script src='https://www.google.com/recaptcha/api.js'>

works on PrestaShop 1.6.0.11 

 

 

Still not getting there, you can check it

http://www.artilharia6.com/index.php?controller=contact

 

[epsilongr]

After changing the url they stopped spamming for 1-2 days.But it starts again.

 

As adversor wrote 

"Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact 

This will redirect to the contact form what ever you write into SEO friendly URLs."

 

Even with slider captcha they can send spam using contact form.

 

The only way to stop spamming is to edit ContactController.php and add a question that lock the "submit button"

I read in several pages how to add this question.

 

This is the only working solution for now

 

[nberga]

Any Help???

[kokonai]

Hi, I have made all recommendations, and steel receiving bot spam. Any suggestions? 

[selectshop.at]

Indeed spam problem is a complex one. There is not only one solution.

Check these other tips out:

https://www.prestashop.com/forums/topic/659477-prestashop-161-russia-mails-spams-in-sytel-of-prestashop-contact-form/?do=findComment&comment=2678494

https://www.prestashop.com/forums/topic/682297-delay-sending-message-from-contact-form/#comment-2713236

https://www.prestashop.com/forums/topic/671934-customer-service-spam-attack-help/?do=findComment&comment=2719865

 

[Peder]

I made temporary a quick fix and edit contact-form.tpl with just a static text with contact information and the email adress as a image so the form is disabled. So tired of the spam from Russia. 

 

 

Edited March 16, 2018 by Peder (see edit history)

[jetway]

Well i had some fellows sending crap to me but i updated the form controller a bit. I will not say how because they might read it here and try to bypass it. Spam has ended.

[shannon bramlington]

OMG thank you SO MUCH. I've been looking everywhere for simple instructions on how to get the recaptcha to work with out being bypassed! 

PERFECT!!! Can't thank you enough! 

Easy!

[simondavid]

Hi, I tried all steps with no luck. When I check my ContactController.php file, I only see this code and I have no idea where to put the extra code:

 

class ContactControllerCore extends FrontController
{
    public $php_self = 'contact';
    public $ssl = true;

    /**
    * Assign template vars related to page content
    * @see FrontController::initContent()
    */
    public function initContent()
    {
        parent::initContent();

        $this->setTemplate('contact');
    }
}

I'm currently using Prestashop 1.7. Any idea how to fix this reCaptcha issue?

 

Many thanks in advance.

[thehandlestudio]

On 01/03/2018 at 10:08 AM, tuk66 said:

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

Where in the .htaccess file do you enter this code?

[tuk66]

At the very beginning.

[Steve Joms]

Hello Presta users,

I hope this fix will work or I hope this will help someone. So instead of reCaptcha I created my own Math Captcha (ex. 5 + 7 = 12)

My solution:

1. Just changing the code of contact-form.tpl in your themes folder won't work (the spammer can still connect to the "contact us" URL). What you should do is to delete the contact in the "SEO & URLs", you can find it in Preferences -> SEO & URLs

 

2. So after deleting the "contact" in SEO & URLs the spamming should be stop. Next thing you do is to edit the 2 files that is related to the issue. 

    First file "contact-form.tpl" that is located in your theme folder (Dir: "/themes/"YourThemeName"/contact-form.tpl")

    Second file "ContactController.php" that is located in your theme folder (Dir: "/controllers/front/ContactController.php")

 

3. Editing the contact-form.tpl, in this file this is where you will edit the view of your contact form.

   You can put the code below just after the $fileupload if statement:

  

  It will look like this below:

 

4. Editing the ContactController.php, in this file this where your data will be controlled and validated before finalizing or posting the contact transaction. 

    First look for initContent() function then add the following code just after line 287 or before this line of code "$this->setTemplate(_PS_THEME_DIR_.'contact-form.tpl');"

   

   Next look for postProcess() function this where the validation of data happens.

   In the postProcess function we should add some codes to make our Math Captcha be validated:

     1. After this line of code "$message = Tools::getValue('message');" add the following code below:

      

     2. Now we will add 2 validations first, if the field for Math Captcha is empty and second, if the answer to the Math Captcha is wrong. You can add this 2 validations right after this line             of code

       "} elseif (!empty($file_attachment['name']) && !in_array(Tools::strtolower(substr($file_attachment['name'], -4)), $extension)                                                                     &&!in_array(Tools::strtolower(substr($file_attachment['name'], -5)), $extension)) {
                $this->errors[] = Tools::displayError('Bad file extension');
            }"

    Then add this code

    

 

5. Final step, just add again the contact webpage or url in the SEO & URLs

 

VOILA!!! You now got rid off the contact spammer without spending a dime. I hope this will help someone or someone may add some thoughts with this solution.

Cheers guys!

Edited November 16, 2018 by Steve Joms (see edit history)

[inspectaclueso]

On 11/15/2018 at 10:32 PM, Steve Joms said:

 

Thanks @Steve Joms for sharing your work around.

It would be awesome if you could post the code in a format that can be copied and pasted.  This will prevent mistakes when trying to retype your code... or even attache the edited files so the code can be taken from them.

Thanks

[max565]

Steve Joms

Can you update this for 2023 or prestashop version 1.7.8.10

Your guide doesn't work for the newest version of prestashop

I keep getting spam everyday and there is no way to stop this unless we add your guide

 

 

public_html/shop/themes/classic/modules/contactform/views/templates/widget/contactform.tpl

after

[code]

              {l s='optional' d='Shop.Forms.Help'}
            </span>
          </div>
        {/if}

[/code]

[code]

    <p class="form-group">
    <br>
    <label for="mathCaptcha">{l s='Number captcha (Robot checking):'}</label><br>
        
        <input type"text" id="mathNumber1" name="mathNumber1" value="{$mathNumber1}" hidden="true" />
        <input type"text" id="mathNumber2" name="mathNumber2" value="{$mathNumber2}" hidden="true" />
        
        {$mathNumber1} + {$mathNumber2} = <input type="text" id="mathAnswer" name="mathAnswer" autocomplete="off"/>
        <br>
        <br>
    
    </p>  

[/code]

 

 

public_html/shop/controllers/front/ContactController.php

after

[code]

    public function initContent()
    {
    parent::initContent();

[/code]

[code]

  $this->context->smarty->assign('mathNumber1',rand(1,10));
    $this->context->smarty->assign('mathNumber2',rand(1,10));
    

[/code]

 

public_html/shop/modules/contactform/contactform.php

after

[code]

        $this->contact['contacts'] = $this->getTemplateVarContact();
        $this->contact['message'] = Tools::getValue('message');

[/code]

 

[code]

        $mathAnswer = Tools::getValue('mathAnswer');
        $mathNumber1 = Tools::getValue('mathNumber1');
        $mathNumber2 = Tools::getValue('mathNumber2');
        $mathSum = $mathNumber1 + $mathNumber2; 

[/code]

 

 

 

after

[code]

            $this->context->controller->errors[] = $this->trans(
                'Bad file extension',
                [],
                'Modules.Contactform.Shop'
            );

            return;
        }

[/code]

 

 

[code]

             elseif(!$mathAnswer){
                $this->errors[] = Tools::displayError('The answer must not be blank');
            }
            
            
            elseif($mathSum!=$mathAnswer){
                $this->errors[] = Tools::displayError('The answer is wrong');
            }
           

[/code]

 

 

i tried that and i see the math question but it doesn't verify the math. The message still goes through

Edited November 16, 2023 by max565 (see edit history)

[Manuel_GT]

Hi all

The solution I 've adopted is different (graphic captcha) but answering to @max565 the math check have to be done before SendMessage call on ContactForm.php.

I'm using version 4.4.1 of the module in Prestashop 8.1.2, and in the code of the module I put the code

 		$mathAnswer = Tools::getValue('mathAnswer');
        $mathNumber1 = Tools::getValue('mathNumber1');
        $mathNumber2 = Tools::getValue('mathNumber2');
        $mathSum = $mathNumber1 + $mathNumber2;  

In the very beginning of the function getWidgetVariables we can see an if clause :

 public function getWidgetVariables($hookName = null, array $configuration = [])
    {
        $notifications = [];

        if (Tools::isSubmit('submitMessage')) {
			$this->sendMessage();

And there, is a good place to test the new field and return if error. Replace the line  $this->sendMessage(); with Something like:

        if (Tools::isSubmit('submitMessage')) {
            // Math test //
 			$mathAnswer = Tools::getValue('mathAnswer');
        	$mathNumber1 = Tools::getValue('mathNumber1');
        	$mathNumber2 = Tools::getValue('mathNumber2');
            if ($mathAnswer == $mathNumber1 + $mathNumber2) {
                $this->sendMessage();
            } else {
                $this->context->controller->errors[] = Tools::displayError('The answer is wrong');
            } 
...

So if "submit", test the math. If "Ok" call sendMessage()

Hope this helps.

Edited December 7, 2023 by Manuel_GT (see edit history)

[max565]

@Manuel_GT

thanks you sir. it worked. hopefully this will stop the bots but bots are smart. maybe next time i can add . subtraction, division, and times

if anyone wants the files.

3 files inside captcha.zip

captcha.zip

 

Edited January 23 by max565 (see edit history)

[skijump]

Solved for 1.6.1.24. The code above had an extra } in the ContactController.php code. Remove the last }. Recaptcha V3 did not work, V2 does.

[steve kanes]

On 5/15/2017 at 11:22 PM, sumsel said:

Hi folks,

 

I could use some help.

 

A chinese fraud and virus spammer has decided to send me tons of messages via contact form.

 

However he doesn't need the contact form to do that, and I have no clue how that is even possible.

 

How did I find out? I replaced the contact-form.tpl with a static html page which stated that due to webcord-virus the contact form was temporarily disabled. But I still got spam via contact form!! With no contact form even present in the shop!!

 

That sender seems to have a way to call the scripts usually used in the contact form to send messages, and does not need any forms.

 

I put the shop into maintenance mode. I didn't get spam then. At least something.

 

For obvious reasons, that is not my preferred permanent solution.

 

Then I searched this forum, and successfully found and implemented a recaptcha for my contact form. Put the shop back online. Got spam again. Put the shop offline.

 

What do I do against that??

 

Thanks for any hints.

It sounds like you've already tried a few things to stop it, but the spammers are still getting through. Here are a few more suggestions:

Use a CAPTCHA or reCAPTCHA: This is a common way to prevent bots from submitting forms. It requires users to complete a challenge, such as typing in text or clicking on images, that is difficult for bots to solve.

Use a honeypot: This is a hidden form field that is only visible to bots. If a bot fills in the honeypot field, it can be flagged as spam.

Block IP addresses: If you see a lot of spam coming from a particular IP address, you can block that address from accessing your site.

Use a contact form plugin: There are many plugins available that can help you prevent spam on your contact form. These plugins may include features such as CAPTCHAs, honeypots, and IP blocking.

Validate your form data: You can use server-side validation to check that the data submitted in your form is valid. This can help to prevent bots from submitting invalid data.

Here are some additional tips:

Keep your software up to date: This includes your content management system (CMS), plugins, and themes. Outdated software may have security vulnerabilities that can be exploited by spammers.

Change your contact form URL: This will make it more difficult for spammers to find your form.

Monitor your form submissions: This will help you to identify any patterns in the spam that you are receiving.

I hope these suggestions help!