Bug #8570
closedAnti-spam for Contact Form 7
0%
Description
We were informed by IT that some contact forms powered by Contact Form 7 were being used to send some spam emails to the site admins. I dug into the logs and found the following (from my email to IT):
158.222.111.170 - - [22/Aug/2017:13:27:04
0400] "GET /contact-us/ HTTP/1.1" 200 124474 "" "-" 23284
158.222.111.170 - - [22/Aug/2017:13:27:070400] "GET /files/wpcf7_captcha/3072338607.png HTTP/1.1" 200 1204 "" "-" 23284
158.222.111.170 - - [22/Aug/2017:13:27:20 -0400] "POST /contact-us/ HTTP/1.1" 200 124594 "http://www.google.com" "Mozilla/5.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko" 23380Notice the google.com referer in the third line. Looking at this, my guess is that a bot is doing the following:
- In a browser, search Google for pages containing contact forms powered by this specific plugin.
- Based on results, fetch the contact page. This is presumably not being done with a web browser, because all of the rest of the page assets (CSS, JS, etc) are not being loaded, and there's no user-agent recorded in the access log.
- Parse the contact page HTML to get the URL of the CAPTCHA image, and then fetch that image.
- Use some technique to solve the CATCHA
- Build a POST request known to work with this plugin, including the CAPTCHA answer, and launch it from the browser. This explains why the POST request has a User-Agent as well as a Referer.
I think we can thwart this with a sort of reverse honeypot: a hidden field that has a secret token, which is rendered as part of the form but is not part of CF7. It must be part of the POST request in order for the submission to go through.
Ray, have you built this kind of thing before? If so, and you have any code, would you mind sharing? Otherwise I can try to whip something up.
Related issues