mihessel Posted September 26, 2025 Share Posted September 26, 2025 (edited) Hi prestashop Forum, After buying and installing the module "reCaptcha" from https://addons.prestashop.com/en/website-security-access/42438-recaptcha-google-anti-spam.html I still have major issue with reCAPTCHA, I got SPAM from robots/services using my contact formular to sent SPAM. I'll see continued email creations in the prestashop backend, 15 a minute from IP. The module don't block spam, tested both v. 2 and v.3, the spammer/robot/service uses the contact formular to sent spam, and this is not blocked by reCAPTCHA. Are there anyone with the same issue on is this module. Example of user created: Name: 网址①⑧⑧⑦点top注册送⑧彩金 Last name: 存五十送③⑦彩金 email: [email protected] IP: 38.12.30.33 Purchased module/software: reCaptcha - Google Anti Spam module, version: v1.1.7 reCaptcha versions tested with no luck: v2 and v3 Change 'Site key' and 'Secret key' but with same result. My prestashop version: 1.7.6.8 ReCaptcha anti-spam - PrestaShop module configuration in backend, ReCaptcha allowed score is set to 0.1 Temporary solution is to block the formular in the .htaccess with following. # blocking contact formular <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} ^create_account=1.* [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> <IfModule mod_rewrite.c> <IfModule mod_env.c> SetEnv HTTP_MOD_REWRITE On </IfModule> RewriteEngine on BR /M Edited September 26, 2025 by mihessel (see edit history) Link to comment Share on other sites More sharing options...
Knowband Plugins Posted September 26, 2025 Share Posted September 26, 2025 What's the response of the module developer on the same? 1 Link to comment Share on other sites More sharing options...
mihessel Posted September 26, 2025 Author Share Posted September 26, 2025 I'm wating for a reply from module developer, as soon i get it, I post the info in here. Link to comment Share on other sites More sharing options...
Prestashop Addict Posted September 26, 2025 Share Posted September 26, 2025 In V3 what was the threshold used? 1 Link to comment Share on other sites More sharing options...
mihessel Posted September 29, 2025 Author Share Posted September 29, 2025 On 9/26/2025 at 12:14 PM, Prestashop Addict said: In V3 what was the threshold used? I tested the default threshold 0.7, and then tested 0.3 to 0.1, and all with same result. As soon as I make the contact formular online(and updating the .htaccess file), the process start continually creation emails from the same IP trough the contact formular, until I update the .htaccess file again, where I block it. I could block the IP, but I want to find the source here. Link to comment Share on other sites More sharing options...
mihessel Posted September 29, 2025 Author Share Posted September 29, 2025 On 9/26/2025 at 8:12 AM, Knowband Plugins said: What's the response of the module developer on the same? I got a response today the have closed the incident, as they want me to create a new one where i deliver FTP/Port/Backend PW and login. I post the result when solved. Link to comment Share on other sites More sharing options...
Knowband Plugins Posted September 29, 2025 Share Posted September 29, 2025 18 minutes ago, mihessel said: I want to find the source here. Access Log file analysis may also be required. time of registration matching with the access log time match & page URL in the access log at that time to find the source page. Link to comment Share on other sites More sharing options...
Hart Posted September 29, 2025 Share Posted September 29, 2025 11 hours ago, mihessel said: I tested the default threshold 0.7, and then tested 0.3 to 0.1, and all with same result. As soon as I make the contact formular online(and updating the .htaccess file), the process start continually creation emails from the same IP trough the contact formular, until I update the .htaccess file again, where I block it. I could block the IP, but I want to find the source here. Understanding the Score Score = 1.0: A very high probability that the user is a genuine human. Score = 0.0: A very high probability that the user is a bot. In-between scores: Represent varying degrees of risk, with the system using machine learning to assess user behavior. How to Use the Score 1 - Set a Threshold: After reCAPTCHA v3 learns from your site's traffic, you can set a threshold (e.g., 0.5 is a common default). 2 - Implement Actions: High Score: If the score meets or exceeds your threshold, the action is approved. Low Score: If the score falls below the threshold, the action can be blocked, or further verification can be triggered. 3 - Monitor and Adjust: Review scores in the reCAPTCHA admin console to fine-tune your threshold based on your site's specific traffic and risk tolerance. Important Considerations Learning Period: The accuracy of the scores improves after the system analyzes real user traffic, typically within about seven days. Context Matters: The actions taken for a given score depend on the context of your website, such as whether it's a payment page or a comment section. Behind-the-Scenes Action: It's generally recommended to take actions behind the scenes rather than displaying CAPTCHA challenges to maintain a better user experience. A score = 0.5 is a good start, let reCaptcha learn you trafic then you can make it more sever like 0.2 if you continue to have spam bots Link to comment Share on other sites More sharing options...
mihessel Posted October 1, 2025 Author Share Posted October 1, 2025 FYI, The reCAPTCHA reached out, they want to investigate the issue in more detail so they reopened the INC today. Thanks for your support Team, as soon I have more information I post it. Link to comment Share on other sites More sharing options...
mihessel Posted October 3, 2025 Author Share Posted October 3, 2025 (edited) Here is the update from PrestaShop of (reCAPTCHA): After analyzing your case and the module configuration, we've identified the root cause of the spam problem you're experiencing. The spambots are bypassing your contact form entirely by sending direct POST requests to the form submission endpoint, which means they never interact with the reCAPTCHA challenge on the frontend. This is a sophisticated attack method that requires additional security layers beyond standard reCAPTCHA implementation. Why is this happening? Sophisticated spam bots can bypass form protections by: Directly posting data to your form handler URL Never loading the actual contact page with the reCAPTCHA widget Submitting fake customer accounts through direct API calls This is a known issue with many PrestaShop stores, particularly with spam from Chinese qq.com email addresses using gambling-related content in Chinese characters.Recommended Solutions: Additional Security Layers Consider implementing these complementary measures to strengthen your store's protection: Email Domain Blocking: Block known spam email providers (qq.com, 126.com, 163.com, mail.ru, etc.) at the form submission level IP Rate Limiting: Limit form submissions per IP address (e.g., max 3 submissions per hour) Honeypot Fields: Add hidden fields that bots fill out but humans don't see Server-Level Protection: Implement mod_security or fail2ban rules to block suspicious patterns /BR Edited October 3, 2025 by mihessel (see edit history) Link to comment Share on other sites More sharing options...
Knowband Plugins Posted October 3, 2025 Share Posted October 3, 2025 1 hour ago, mihessel said: Directly posting data to your form handler URL Then it's a wrong implementation. If the bots are directly sending the request, then there should be a checkbox on the backend as well, whether challenge data is received OR not. If not, then the system should throw the error. Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now