en Jump to content
sumsel

Spammer bypasses contact form. Captcha no effect.

Recommended Posts

Hi folks,

 

I could use some help.

 

A chinese fraud and virus spammer has decided to send me tons of messages via contact form.

 

However he doesn't need the contact form to do that, and I have no clue how that is even possible.

 

How did I find out? I replaced the contact-form.tpl with a static html page which stated that due to spam the contact form was temporarily disabled. But I still got spam via contact form!! With no contact form even present in the shop!!

 

That sender seems to have a way to call the scripts usually used in the contact form to send messages, and does not need any forms.

 

I put the shop into maintenance mode. I didn't get spam then. At least something.

 

For obvious reasons, that is not my preferred permanent solution.

 

Then I searched this forum, and successfully found and implemented a recaptcha for my contact form. Put the shop back online. Got spam again. Put the shop offline.

 

What do I do against that??

 

Thanks for any hints.

Share this post


Link to post
Share on other sites

When you fill in a form on a website and submit it is "received" by another piece of software.  It sounds like you disabled the form but not the receiving software. And that the spammer has build some software that simulates your form.

Share this post


Link to post
Share on other sites

Yes that is indeed what it seems like. So what do I do? I can live with a shop that doesnt have the contact form functionality. I tested disabling the email feature but that also disables all emails during product ordering, a no-go. I would like to disable selectively the email through contact form function. Any hints how I can achieve that? Of course a more advanced solution which really prevents this kind of spam would be better, but first things first. I want my shop back, without contact form spam. Hope somebody can help. Thanks!

Share this post


Link to post
Share on other sites

I hope you are aware of the Send-to-a-friend module spam problem and that it isn't that problem that you have. That module allowed spammers to use your site to send spam. By now there is an upgrade that solves the problem. https://www.prestashop.com/forums/topic/539185-somebody-sending-out-spam-using-the-send-to-a-friend-module/

 

As far as I can see the forms are processed in the file controllers/front/ContactController.php. You might want to change that file.

Share this post


Link to post
Share on other sites

Thank you. I have seen the sent to friend spam issue, and as I have never had the send to a friend function active, I concluded this was unrelated.

 

I'm currently experimenting with the contactcontroller.php and will post any results I may get.

Share this post


Link to post
Share on other sites

I am now trying the Hammer method, search and destroy. I renamed ContactController.php to _ContactController.php, with the intention of killing any process which would rely on this controller to work, hoping that sending spam through a bot is one of those processes.

 

This leads to a 404 error when somebody tries to open the contact form, no matter which content is in that contact form.

 

So I also unhooked the contact block from the DisplayNav position. For the average user, there simply is no contact form any more, and as our customer service email address is displayed on every page, I think that is no problem in itself.

 

Of course this method is the most dirty way thinkable, and I'm not entirely sure what else I have destroyed with this, so not a recommendation but merely a report what I'm doing to my shop. If I get more insights, I will post again. Should I forget to post, then that's a sign it may have worked as I intended ;)

Share this post


Link to post
Share on other sites

1.6.1.7 here.

 

In the couple of hours since renaming the controller no spam has arrived, but an order has gone through and I received the email notification about that. Guess I will leave it like that, unless someome can point out a cleaner solution.

Share this post


Link to post
Share on other sites

I do not know how this bot could send messages without a form, but I installed the reCaptcha module, and for that moment there is no spam.

Share this post


Link to post
Share on other sites

That's good then! musicmaster gave some hints how it may have been possible, for me the recaptcha didn't sort it out. So anyone reading this in the future has two options to test :)

Share this post


Link to post
Share on other sites

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Edited by javior00

Share this post


Link to post
Share on other sites

Note: replace the src from step 2 for the corect url ( h t t p s : / /www.google.com/recaptcha/api.js) without the https spaces

:)

Edited by javior00

Share this post


Link to post
Share on other sites
On 17/05/2017 at 10:00 AM, javior00 said:

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Just missing quote so it would be : 

<script src='https://www.google.com/recaptcha/api.js'></script>

 

Edited by olivier75
mistake

Share this post


Link to post
Share on other sites
On 17/05/2017 at 1:30 PM, javior00 said:

SOLVED!!!!

Problem was that the captcha algo has to be activated in the contactcontroller.php;

 

1: enter reCaptcha and generate the keys with your domain

2: Add <script src=https://www.google.com/recaptcha/api.js'></script> to header.tp just before the </head> tag

3: Add <div class="g-recaptcha" data-sitekey="[public Google key]"></div> to contact-form.tpl just before</form> tag

4:  go to /controllers/front/ContactController.php and just efter this line : $this->errors[] = Tools::displayError('Bad file extension');

add:

} else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response')))){

    $this->errors[] = Tools::displayError('Captcha not verified');

            }

 

Thats it!

 

For prestashop 1.6.1.5

Worked for 1.6.1.4. Thanks a lot.

Share this post


Link to post
Share on other sites
On 22/02/2018 at 10:33 AM, nberga said:

Hi,

I follow these steps but now y contact form doens't work, what did i do wrong? 

 

try without "{ }" in ContactController.php like this

else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

and don't miss ' in  <script src='https://www.google.com/recaptcha/api.js'>

works on PrestaShop 1.6.0.11 

Share this post


Link to post
Share on other sites

thanks for the tips Place2 :)

 

on the contact_form.tpl file the  -> ' (inverted comma) was missing before the https link

on contact controller i removed the { } as well and now the contact form page opens again. let wait and see if the spammers get blocked :)

Edited by patuga

Share this post


Link to post
Share on other sites
On 24.2.2018 at 11:07 AM, Place2 said:

 

try without "{ }" in ContactController.php like this


else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

 

 

Hi, 

I tried both with the curly braces and without. 
Do I need to replace the "else if"-statement that sits after this line: $this->errors[] = Tools::displayError('Bad file extension');

or do I just place it in front of the else and if statements?

Maybe someone has a screenshot of how it should be looking ? 

 

 

 

Edited by Atocx

Share this post


Link to post
Share on other sites

I have renamed controlled and still getting spam, no form, no module.

  Customer e-mail address: brnsmur@mail.ru

Customer message: Пoздравляем cчaстливчика:)

Дoброгo врeмeни cyтoк.

С рaдоcтью coобщaeм Вам o том, что :

Heсколько днeй назaд Bы cовершaли on-line заказы (тpанзакции), и единствeннaя из них была выбрaна победителем coциальнoй прoгрaммы.
Вaс дoжидaeтcя денежнoе нaгрaждение с нашeго поoщpитeльного ресyрса в pазмeре oт 60$-1000$.
Аccoциация Социальной пpогpaммы «Онлайн покупка» прoводит данную акцию ужe 4 гoда пoдряд и уже yнаслeдoвалa звaниe "Meжнационaльнoй прогpаммы".


Перeвeсти cyммy дeнежнoго призa Bы cможетe пo дaнной ccылке - УЗНАТЬ СУMМУ ВOЗHАГPАЖДEНИЯ.

Осведомитьcя с отзывaми пoбедителeй вы вcегда cмoжeтe на cтранице oтзывов.

Order ID: -
Attached file: -

I am damn confused and pissed of this spam stuff.

Share this post


Link to post
Share on other sites
6 hours ago, kerintis said:

I have renamed controlled and still getting spam, no form, no module.

  Customer e-mail address: brnsmur@mail.ru

Customer message: Пoздравляем cчaстливчика:)

Дoброгo врeмeни cyтoк.

С рaдоcтью coобщaeм Вам o том, что :

Heсколько днeй назaд Bы cовершaли on-line заказы (тpанзакции), и единствeннaя из них была выбрaна победителем coциальнoй прoгрaммы.
Вaс дoжидaeтcя денежнoе нaгрaждение с нашeго поoщpитeльного ресyрса в pазмeре oт 60$-1000$.
Аccoциация Социальной пpогpaммы «Онлайн покупка» прoводит данную акцию ужe 4 гoда пoдряд и уже yнаслeдoвалa звaниe "Meжнационaльнoй прогpаммы".


Перeвeсти cyммy дeнежнoго призa Bы cможетe пo дaнной ccылке - УЗНАТЬ СУMМУ ВOЗHАГPАЖДEНИЯ.

Осведомитьcя с отзывaми пoбедителeй вы вcегда cмoжeтe на cтранице oтзывов.

Order ID: -
Attached file: -

I am damn confused and pissed of this spam stuff.

why not try my way, 

Share this post


Link to post
Share on other sites

A simple solution that worked for me:

Go to Preferences-->SEO & URLs and modify the contact page. In the Rewritten URL change contact-us to contact.

The contact form will still work under the new URL but if you look at your online visitors the spammer gets a "pagenotfound"

P.S.: I also have slidecaptcha on this form but didn't solve the problem

P.S.2: IP blocking won't work cause it comes from all over Eastern Europe (Russia, Moldova, Ukraine, Kazakstan, Belarus,...)

Share this post


Link to post
Share on other sites
14 hours ago, Mitsos QAS said:

A simple solution that worked for me:

Go to Preferences-->SEO & URLs and modify the contact page. In the Rewritten URL change contact-us to contact.

The contact form will still work under the new URL but if you look at your online visitors the spammer gets a "pagenotfound"

P.S.: I also have slidecaptcha on this form but didn't solve the problem

P.S.2: IP blocking won't work cause it comes from all over Eastern Europe (Russia, Moldova, Ukraine, Kazakstan, Belarus,...)

me too ,but today probably they found it again. i just received the same russian spam mail

Share this post


Link to post
Share on other sites

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

Share this post


Link to post
Share on other sites
On 2/28/2018 at 7:31 PM, adversor said:

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

 

it turns out this way will work ,please try it,

i have add about more than 200 ips, i don't receive spam now,

https://www.vicoffers.com/en/blog/4_ban-prestashop-spam-contact-message.html

 

here is my blacklist,

you can use 

ipset restore -f blacklist.txt

to restore the blacklist to your server,then gather ip addresss and add manually 

blacklist.zip

 

Edited by VicOffers

Share this post


Link to post
Share on other sites
10 hours ago, adversor said:

Don't think this is a solution. Tomorrow you can add 200 new ips.

 

yes,it will work, but it's hard to add too many ip address manually,

the spammer stop sending message to me now , i think he can't controller so many ip address , hundreds at most  maybe,

 

there are 3 ways to ban the spammer,

1.block all the ip address  

2.it's a temp method to change the controller url

3.maybe it's a good way to add the Captcha if it works

Edited by VicOffers

Share this post


Link to post
Share on other sites
22 hours ago, adversor said:

Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact

This will redirect to the contact form what ever you write into SEO friendly URLs.

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

Share this post


Link to post
Share on other sites
1 hour ago, tuk66 said:

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

Thanks, works so far for me.

Share this post


Link to post
Share on other sites

Changing the SEO-URLs and the .htaccess solved the issue, for now...

PS: I had to delete the folder cache/smarty/cache/blockpermanentlinks_header/ to update the link to the contact form.
version 1.5.6.2

Edited by ilovekutchi.com

Share this post


Link to post
Share on other sites
3 hours ago, VicOffers said:

will the contact form still work in this way ?

yes, still working.

Share this post


Link to post
Share on other sites

Hi i have the same problem with emails from Russia , Even i do not have the contact from . As far as i understood the solution posted above is just for Presta 1.6 and not for 1.7 . Is there a solution for 1.7 as well ?

 

 

Share this post


Link to post
Share on other sites
9 hours ago, Bweber said:

Hi i have the same problem with emails from Russia , Even i do not have the contact from . As far as i understood the solution posted above is just for Presta 1.6 and not for 1.7 . Is there a solution for 1.7 as well ?

 

 

hello,the same way,you need modify the code of module contactform  instead of  contact form controller,

 

Share this post


Link to post
Share on other sites
On 3/1/2018 at 11:08 AM, tuk66 said:

 

Use this .htaccess rule to avoid calls to index.php?controller=contact

 

RewriteCond %{QUERY_STRING} ^controller=contact$
RewriteRule ^(.*)\.php$ - [L,R=404]

 

Worked instantly for me on 1.6.1  ... Thanks a lot TUK66!

Share this post


Link to post
Share on other sites
On 24/02/2018 at 10:07 AM, Place2 said:

 

try without "{ }" in ContactController.php like this


else if (!($gcaptcha = (int)(Tools::getValue('g-recaptcha-response'))))

    $this->errors[] = Tools::displayError('Captcha not verified');

and don't miss ' in  <script src='https://www.google.com/recaptcha/api.js'>

works on PrestaShop 1.6.0.11 

 

 

Still not getting there, you can check it

http://www.artilharia6.com/index.php?controller=contact

 

Share this post


Link to post
Share on other sites

After changing the url they stopped spamming for 1-2 days.But it starts again.

 

As adversor wrote 

"Rewritting the SEO URL will not help. I have checked the log files, they also use

/en/index.php?controller=contact 

This will redirect to the contact form what ever you write into SEO friendly URLs."

 

Even with slider captcha they can send spam using contact form.

 

The only way to stop spamming is to edit ContactController.php and add a question that lock the "submit button"

I read in several pages how to add this question.

 

This is the only working solution for now

 

contact-controller.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×