Formbuilder spam issue

[blackrain]

I am getting a large amount of spam through the Formbuilder module,

The messages are formatted correctly as per my settings in Formbuilder but the messages are not saved to the database as are valid messages from the website.

I am using captcha and a trick Rolf posted using regular expression and a website address. still spam gets through.

This leads me to conclude that the Formbuilder is getting hit and processing without using the front end anti spam tools.

Has anyone else had this issue and is there a fix I can employ to combat this problem.

The IPs are all from Russia and Ukrane but very random and constantly changing.

[velden]

I'd check the webserver access logs. Those should give hints as what scripts/pages are called and hopefully some parameters. (you know the ip so you know what to look for in the logs).

Sure you don't have some test-form you forgot about somewhere?

[Jo Morg]

Also:

I am using captcha and a trick Rolf posted using regular expression and a website address. still spam gets through.

This leads me to conclude that the Formbuilder is getting hit and processing without using the front end anti spam tools.

It should not be possible to circumvent anti-spam other than by human intervention. It is my experience that reCapcha is quite effective in blocking bots, whereas honey-pots only need human intervention once (by defining on the bot configuration for a particular site which fields to leave empty).
For a bot to be able to circumvent both is close to impossible unless there is something misconfigured in that form or in FormBuilder.

The messages are formatted correctly as per my settings in Formbuilder but the messages are not saved to the database as are valid messages from the website.

I'm not sure what you mean by that can you please give more details? And are you using latest versions of modules and core?

* velden beat me answering...

[blackrain]

Thanks guys, I have looked through the access logs but nothing jumps out as odd, lots of 404 requests for php scripts but nothing getting through there.

I have tried all the captcha modules ReCaptcha included and they all work fine for the form submission.

@JoMorg - The emails I receive are formatted as per the html I have put in the formbuilder module the setting are correct and even the form fields are all correct. when I submit a message via the frontend the message is stored in formbrowser and I can access it. the spam messages are not stored I am thinking there may be a vulnerability in the formbuilder somewhere that allows a bot to POST without using the frontend.

thanks

[Rolf]

You could try https://www.cmscanbesimple.org/blog/add ... ook-module The method also works for FormBuilder of course.

[blackrain]

Hi @Rolf

The client want the form visible, also the issue doesn't seem to be with the frontend form itself as I don't see the submission data being captured by the the db.

its frustrating to say the least

[Jo Morg]

Thanks guys, I have looked through the access logs but nothing jumps out as odd, lots of 404 requests for php scripts but nothing getting through there.

I have tried all the captcha modules ReCaptcha included and they all work fine for the form submission.

@JoMorg - The emails I receive are formatted as per the html I have put in the formbuilder module the setting are correct and even the form fields are all correct. when I submit a message via the frontend the message is stored in formbrowser and I can access it. the spam messages are not stored I am thinking there may be a vulnerability in the formbuilder somewhere that allows a bot to POST without using the frontend.

thanks

I'll need more details then. I still find it odd as the Captcha is validated on POST otherwise it wouldn't be doing anything there at all. In all CMSMS installations I work with there are normally tens of forms done by FB and with various degrees of traffic, and never had an issue like the one you describe.
I can eventually think of a way to test that too, by doing some sort of cross site security method (I'll have to look at one of mine using it) which is relatively easy in FB. I'll post the method here as soon as I find it. However it will only prevent attempts to POST eithout the use of the form (which I still am not convinced that is the case).

[Jo Morg]

Additionally, can you post a form with an invalid captcha? Because in my tests it invalidates the form and FB won't process it at all and show the respective error.

[blackrain]

@JoMorg

The captcha function is working on the website and stopping the form from submitting if the code is missing or incorrect. I have also used the honey pot @Velden posted and that works also.

I am at a loss as to why the messages are getting through, unless the spammer is actually entering the data into the form, but then the db would catcher the data.

[Jo Morg]

OK, so try this:

• - create a UDT, name it gen_sec_token:

Code: Select all

$token = bin2hex( openssl_random_pseudo_bytes(16) );
$_SESSION['fb_token'] = $token;
return $token; 

• - create a new UDT, name it val_sec_token:

Code: Select all

if($params['token'] != $_SESSION['fb_token'])
{
  audit(0, 'Form submission error: security token missing or invalid!');
  return array(false, 'Security token missing or invalid');
}

# make sure no reuse is possible
unset($_SESSION['fb_token']);
return array(true,'');

• - in FormBuilder open the affected form and create a new field of type Text Input and name it token;
• - create yet another field of type User Defined Tag Call and select the gen_sec_token UDT, name it st;
• (note: keep these fields validation at their default settings....)
• - in FormBuilder form page on the tab Form Submission, under Form Submission Behavior set User defined tag to call during form validation to val_sec_token;
• - on the form template and assuming that you use some variation of one the original templates that handle rendering the fields automatically you'll need to trap and prevent the new fields from displaying (that bit is up to you as it will depend on how the form template is set);
• - add the following right after the {$fb_hidden} tag in the template:

Code: Select all

<input type="hidden" name="{$actionid}{$token->input_id}" value="{$st->input}"> 

• - update/save the form.

This should create and handle nonce security tokens that should prevent cross domain form submissions.

Now, I still don't think that the submissions are not made from the main FB form, but this should clear that for us. This type of validation should prevent, for good, any submission other than from the form itself (and even prevent double submissions from refreshing the page). That will leave us with form legit submissions but made specifically with the intent of spamming...

[blackrain]

I tried to use the code supplied but the form failed to submit, thanks for your help. I did however glean some info from the logs, i looks like random IP addresses where hitting the contact page at the same times every day. the form was being posted and then the IP stopped, the next one did the same.

So I implemented the Google reCaptcha module and the issue stopped.

I was wondering if perhaps someone was using something like solenium to create scripts that run in an actual browser client. this would explain alot. If so perhaps a delay tactic could be invoked. i.e. fill out form, delay the ability to click unless a javascript checkbox is checked.

just a thought.

thanks again for all your help @JoMorg, @Velden and @Rolf