Issue with reCaptcha, SPAM users using contact formular

[mihessel]

Hi prestashop Forum,
After buying and installing the module "reCaptcha" from https://addons.prestashop.com/en/website-security-access/42438-recaptcha-google-anti-spam.html
I still have major issue with reCAPTCHA, I got SPAM from robots/services using my contact formular to sent SPAM.
I'll see continued email creations in the prestashop backend, 15 a minute from IP. 

The module don't block spam, tested both v. 2 and v.3, the spammer/robot/service uses the contact formular to sent spam, and this is not blocked by reCAPTCHA. Are there anyone with the same issue on is this module.

Example of user created: 
Name: 网址①⑧⑧⑦点top注册送⑧彩金
Last name: 存五十送③⑦彩金
email: [email protected]
IP: 38.12.30.33 

Purchased module/software:
reCaptcha - Google Anti Spam module, version: v1.1.7
reCaptcha versions tested with no luck: v2 and v3
Change 'Site key' and 'Secret key' but with same result.

My prestashop version: 1.7.6.8
ReCaptcha anti-spam - PrestaShop module configuration in backend, ReCaptcha allowed score is set to 0.1

Temporary solution is to block the formular in the .htaccess with following.

# blocking contact formular
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^create_account=1.* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

<IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
</IfModule>
RewriteEngine on

BR
/M

Edited September 26 by mihessel (see edit history)

[Knowband Plugins]

What's the response of the module developer on the same?

[mihessel]

I'm wating for a reply from module developer, as soon i get it, I post the info in here.

[Prestashop Addict]

In V3 what was the threshold used?

[calculo]

It seems that you're encountering an issue where the reCaptcha module is not blocking spam submissions via your contact form on PrestaShop, even after testing with both reCaptcha v2 and v3.

Here’s a solution to this issue, customized to your case, along with a reference to your website:

Solution to Block Spam in PrestaShop Contact Form

After experiencing issues with reCaptcha not effectively blocking spam on your PrestaShop site, here are a few steps you can try to ensure better protection:

1. Check reCaptcha Settings

Make sure the Site Key and Secret Key are correctly set up. It’s important that the keys match the version of reCaptcha you’re using (either v2 or v3). You can also try setting the Score Threshold in reCaptcha to a stricter value (below 0.5) to see if it catches more spam.

2. Update PrestaShop and reCaptcha Module

Ensure that your PrestaShop and the reCaptcha module are updated to the latest versions. Updates often fix bugs and improve compatibility.

3. Test reCaptcha with Custom Forms

If you have custom forms or modifications in your contact form, make sure those are compatible with the reCaptcha version you are using. Sometimes, certain customizations may interfere with reCaptcha.

4. Implement IP Blocklist for Known Spam IPs

In case spam continues despite reCaptcha settings, blocking known spam IPs directly in your .htaccess file is an effective temporary measure.

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} ^38\.12\.30\.33$ RewriteRule ^(.*)$ - [F,L] </IfModule>

This code blocks requests from the spam IP address you've identified. Update this as necessary to block other known IPs.

5. Consider Alternative Anti-Spam Modules

If the built-in reCaptcha module isn’t performing as expected, you might want to explore alternative anti-spam modules available on the PrestaShop add-ons store, such as Spam Prevention for Forms or other advanced CAPTCHA modules that offer additional layers of protection.

6. Contact PrestaShop Support

If the problem persists, it may be worth reaching out to PrestaShop’s support team or the reCaptcha module’s developer for more specialized troubleshooting.

As for your website, you might want to ensure that https://ecalculadoradehoras.com/ also has adequate security measures in place to prevent such spam attacks. If you offer a similar service for time calculations or any related modules, adding extra layers of protection can improve user experience and security.

Feel free to integrate this solution into your website's anti-spam strategy to keep it protected. Let me know if you need further adjustments!

[mihessel]

On 9/26/2025 at 12:14 PM, Prestashop Addict said:

In V3 what was the threshold used?

I tested the default threshold 0.7, and then tested 0.3 to 0.1, and all with same result.
As soon as I make the contact formular online(and updating the .htaccess file), the process start continually creation emails from the same IP trough the contact formular, until I update the .htaccess file again, where I block it. I could block the IP, but I want to find the source here.

[mihessel]

On 9/26/2025 at 8:12 AM, Knowband Plugins said:

What's the response of the module developer on the same?

I got a response today the have closed the incident, as they want me to create a new one where i deliver FTP/Port/Backend PW and login. I post the result when solved.
 

[Knowband Plugins]

18 minutes ago, mihessel said:

I want to find the source here.

Access Log file analysis may also be required. time of registration matching with the access log time match & page URL in the access log at that time to find the source page.

 

 

[Hart]

11 hours ago, mihessel said:

I tested the default threshold 0.7, and then tested 0.3 to 0.1, and all with same result.
As soon as I make the contact formular online(and updating the .htaccess file), the process start continually creation emails from the same IP trough the contact formular, until I update the .htaccess file again, where I block it. I could block the IP, but I want to find the source here.

Understanding the Score
Score = 1.0: A very high probability that the user is a genuine human. 
Score = 0.0: A very high probability that the user is a bot. 
In-between scores: Represent varying degrees of risk, with the system using machine learning to assess user behavior. 

How to Use the Score

1 - Set a Threshold: After reCAPTCHA v3 learns from your site's traffic, you can set a threshold (e.g., 0.5 is a common default). 

2 - Implement Actions:

• High Score: If the score meets or exceeds your threshold, the action is approved. 
• Low Score: If the score falls below the threshold, the action can be blocked, or further verification can be triggered. 

3 - Monitor and Adjust: Review scores in the reCAPTCHA admin console to fine-tune your threshold based on your site's specific traffic and risk tolerance. 

Important Considerations

• Learning Period: The accuracy of the scores improves after the system analyzes real user traffic, typically within about seven days. 
• Context Matters: The actions taken for a given score depend on the context of your website, such as whether it's a payment page or a comment section. 
• Behind-the-Scenes Action: It's generally recommended to take actions behind the scenes rather than displaying CAPTCHA challenges to maintain a better user experience. 
   

A score = 0.5 is a good start, let reCaptcha learn you trafic then you can make it more sever like 0.2 if you continue to have spam bots

[mihessel]

FYI,
The reCAPTCHA reached out, they want to investigate the issue in more detail so they reopened the INC today.
Thanks for your support Team, as soon I have more information I post it.
 

[mihessel]

Here is the update from PrestaShop of (reCAPTCHA):

After analyzing your case and the module configuration, we've identified the root cause of the spam problem you're experiencing. The spambots are bypassing your contact form entirely by sending direct POST requests to the form submission endpoint, which means they never interact with the reCAPTCHA challenge on the frontend. This is a sophisticated attack method that requires additional security layers beyond standard reCAPTCHA implementation.
 
Why is this happening? 
Sophisticated spam bots can bypass form protections by:

Directly posting data to your form handler URL

Never loading the actual contact page with the reCAPTCHA widget
 
Submitting fake customer accounts through direct API calls
 
This is a known issue with many PrestaShop stores, particularly with spam from Chinese qq.com email addresses using gambling-related content in Chinese characters.

Recommended Solutions:
Additional Security Layers
 
Consider implementing these complementary measures to strengthen your store's protection:
 
Email Domain Blocking: Block known spam email providers (qq.com, 126.com, 163.com, mail.ru, etc.) at the form submission level

IP Rate Limiting: Limit form submissions per IP address (e.g., max 3 submissions per hour)

Honeypot Fields: Add hidden fields that bots fill out but humans don't see

Server-Level Protection: Implement mod_security or fail2ban rules to block suspicious patterns

/BR 

Edited October 3 by mihessel (see edit history)

[Knowband Plugins]

1 hour ago, mihessel said:

Directly posting data to your form handler URL

Then it's a wrong implementation. If the bots are directly sending the request, then there should be a checkbox on the backend as well, whether challenge data is received OR not. If not, then the system should throw the error.