Formbuilder not validating email

[SolsWebdesign]

Hi all,

I have this site that has a form-buddy-footer form in the fat footer and this site is being spammed by someone (or some program) that only enters a '1' in every field. I have set up email validation and telephone number validation but still the form is being send! I have no clue how this is possible because if I try it myself, I get the message "please enter a correct email address". Anyone any ideas?
How is it possible and is there a way to stop formbuilder from sending the form if the name only contains a '1'? Of if it contains a message with less characters then say 5?
In the email I get it says Url of page : No http_referer information (probably due to email verification) and my formbuilder version is 0.7.3 The IP address that is send with this email varies (otherwise I just could block the IP address).
Anyone else with this strange problem?
kind regards,
Isolde

[Rolf]

The latest FB release includes lots of fixes since 0.7.3, don't know if they are related though.
Also check this tutorial http://www.cmscanbesimple.org/blog/hone ... ormbuilder

[SolsWebdesign]

Hi Rolf,

Thank you for your tutorial but it doesn't solve my problem. I still get
"Naam (name): 1
Emailadres: 1
Telefoon (phone): 1
Bericht (message): 1"
send to my customer every week. The IP address, from which it send, varies. And the form has email validation and everything. As said, if I try myself to fill in the formbuilder form, I neatly get the errors "Please fill in a correct email address" and "Please fill in a correct telephone number". So somehow this "person" gets past the errors and sends it off anyway.
The form is in the fatfooter below on page http://www.thijsvandewouwkeukens.nl/
I have no idea how to solve this...
Kind regards,
- Isolde

[Jo Morg]

Did you upgrade FB as recommended by Rolf?

[SolsWebdesign]

Hi,

I had version 0.7.3 and I have upgraded to 0.8.1.3. CMSmadeSimple is 1.12 “Pohnpei”. I hope it helps
- Isolde

[Jo Morg]

As said, if I try myself to fill in the formbuilder form, I neatly get the errors "Please fill in a correct email address" and "Please fill in a correct telephone number". So somehow this "person" gets past the errors and sends it off anyway.

Without far more info we don't have how to reproduce the issue. I suggest going through the Apache access logs, and see if there are any clues on how that form is accessed bypassing the security measures/validation... it sure is a first for me. Additionally, I suggest you install the Captcha module (it now supports the much more user friendly reCaptcha v2); it should, at least, add an additional security layer, if not block spam completely, which it actually should.

[Jeff]

What validation are you doing? HTML5 browser validation or server FB validation?

[SolsWebdesign]

I didn't think of HTML5 validation, that is a good idea to try. I use the standard FB validation:

Field Validation:
Automatic

But now I've checked the "Use HTML5 instead of JavaScript" box.

Would be great if it worked

If not than the next step is indeed Captcha or to dig in to the the code of FB and see where it validates and sends the email...


I have looked into the Apache logs without success

[velden]

Seems to me the validation is already html and that will not help you prevent the spamming.

You should setup validation on the Form Builder fields in Form Builder itself. Do not rely on client-side validation because it's kind of useless regarding spam-prevention.

And consider using the 'honeypot' feature like Rolf suggested.

[SolsWebdesign]

I have made the validation html & javascript (it was FB validation on the server side before and that certainly didn't work).

There is nothing in the Apache logs... sadly

I always use the honeypot feature (like Rolf suggested) in any- and everyone of my sites (including this one) and have so for a very long time. It helps in all my sites except in this (strange) case.

And no, I cannot reproduce it: if I try entering 1 in every field my self, I get the proper warnings that my email is not correct, etc.

Nobody seems to understand or recognize this problem.

This week I haven't seen a 1-1-1-1 submission yet so I'm keeping my fingers crossed that the html/javascript validation works...

[Jo Morg]

I suspect you may have some weird configuration on your form. On all my tests with FB server-side validation, I couldn't reproduce the issue you are experiencing.

However if you rely exclusively on client-side validation, you are signing up for troubles (as velden pointed out): JavaScript/HTML 5 validation are complementary measures of validation form human input on forms. They rely on the browsers being set to enforce the validation rules as well as users having JavaScript enabled on their browsers. Bots, particularly spam bots, bypass JS and HTML 5 validation using different methods. They can even be programmed to correctly identify honeypots and bypass them on a site by site basis, so even this measure is but complementary. The success of a honeypot depends on the interest (or lack thereof) on spamming the site.
I recommend thoroughly reviewing that particular form setup and settings, and eventually adding a reCaptcha protection for additional prevention of invalid submissions.

[SolsWebdesign]

Ouch, that is too bad. Thank you for pointing that out, Jo.

I prefer to avoid the spam so the customer will have to live with the 1-1-1-1 submissions then (since they don't want captcha)... I'll go back to the FB server side validation then...

I do use the FB server side validation for my honeypot though But I'll set the email validation back to the FB server side validation...

I'll make some time and have a look at the FB code and see if I can make a custom solution for this one.

[velden]

I would start to investigate the specific email (read mail headers) and check if it really appears to come from your webserver.
Check for mail client.

Then check the webserver logs for the specific timestamp.

Are you 100% sure the mails come from the FormBuilder module?

To me it occurs like an error, no use in sending all 1's being a spammer.

[SolsWebdesign]

Hi Velden,

Here is what I get:
"Contact aanvraag via ThijsvandeWouwKeukens.nl
Naam aanvrager: 1
Emailadres: 1
Telefoon aanvrager: 1
Bericht of vraag: 1

Formuliernaam: form-buddy-footer
Datum van verzending: Wed, 24 Feb 2016 00:42:15 +0100
Server: http://www.thijsvandewouwkeukens.nl
IP adres: 88.248.186.240
URL van de pagina: Geen HTTP_REFERER informatie beschikbaar (waarschijnijk door het gebruik van E-mail Gebruiker Validatie)
FormBuilder versie: 0.8.1.3
Tab karakter: "

So it looks to me as if it comes from Formbuilder. It is also the template information that I would normally use. If I change "Naam aanvrager:" in "Naam van de aanvrager:" it will say so on the next submission. The IP address varies and this one comes from Ankara, Turkey. But I've had IP addresses from Russia and Spain as well. I have added my email address to the formbuilder form to monitor the contact form so I am pretty sure it isn't send to me directly. I don't think anyone links the Thijsvandewouw site to me or my solswebdesign address unless they know me or Thijs because it does not say so anywhere.

I have searched all possible logging (server and my own) but nothing out of the ordinary... This is the last one I've had... I hope it will die down but until now no such luck.
- Isolde