Spam in contact form with CAPTCHA turned on

edited December 2011 in News & Announcements
As my title says - I think I've just been recently hit by a spambot. I'm getting a few emails every hour from my site's contact form. I have captcha turned on, but I understand that spambots may be able to bypass this field? Anything I can do to stop the bot?

Cheers

Comments

  • edited 2:01AM
    I think line 315 on the blog controller could probably include an additional check since both the $_POST and the $_COOKIE for the session could probably be faked by a bot. Would you mind testing the following out on your end to see if it helps fix your issue:

    At the bottom of the fuel/modules/blog/controllers/blog.php controller file, add the following:
    function _get_encryption($word) { $captcha_md5 = md5(strtoupper($word).$this->config->item('encryption_key')); return $captcha_md5; }

    Around line 479, change to the following 2 lines:
    $captcha_md5 = $this->_get_encryption($captcha['word']); $this->session->set_userdata('comment_captcha', $captcha_md5);

    Then change the _is_valid_captcha method to the followign:
    function _is_valid_captcha() { $valid = TRUE; // check captcha if (is_true_val($this->fuel_blog->settings('use_captchas'))) { if (!$this->input->post('captcha')) { $valid = FALSE; } else if (!is_string($this->input->post('captcha'))) { $valid = FALSE; } else { $post_captcha_md5 = $this->_get_encryption($this->input->post('captcha')); $session_captcha_md5 = $this->session->userdata('comment_captcha'); if ($post_captcha_md5 != $session_captcha_md5) { $valid = FALSE; } } } return $valid; }
    Lastly, change your "encryption_key" in the main config file to something else.

    If you find that the above fix does work for you, let me know and I'll post the fix to the repo.

    If that doesn't work, we may want to look at changing the "captcha" settings in the blog config which get applied to the fuel/modules/blog/libraries/Captcha.php class directly (so there are additional parameters not set that you can use like "char_length").
  • edited 2:01AM
    Thanks. Have switched form off for now as won't get a chance to look at it until this weekend, but will take the above on board then and give that a go.

    Cheers
Sign In or Register to comment.