Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: open

Google reCaptcha Bypassed by Spammers

recaptcha bypassed

     
1:31 pm on Dec 4, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Hi all,

Returning to the WW forums user nearly over 20years out and not been able to find my old account details!

As the title hints, having some troubles with some Russian and Ukrainian spammers hitting my WordPress sites that run Contact 7 forms with Google Recaptcha v2.
In the space of a week had 5 hits of spam from this sources to my contact forms and only way I can see this happening is a human actually submitting the contact forms.

Hence, asking here if anyone else had same problems, examples Subjects of the spams are like:

П ро ф е купить ра бочи й ч ит на в арфей с сси она л ьное ко фейное меро прия тие вУкраине  BLACKFEST Ukrainian Coffee Show

So wondering if anyone else had similar issues as hilighting @ WW which i think is the source & pulse for all webmasters discussions.

Thanks.




[edited by: not2easy at 1:44 pm (utc) on Dec 4, 2018]
1:50 pm on Dec 4, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Been told to use in my C7 form following:


[textarea* your-message minlength:20 maxlength:500]


But still not a permanent solution in fixing is it?
4:45 pm on Dec 4, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2409
votes: 640


I don't know how you implemented your reCaptcha but it sounds like you may not have done it correctly. Before going into detail let me state that I have very little experience with WordPress so maybe someone else may want to chime. I know that there are plugins available for implementation but I do not know how those work.

Recaptcha is a two part process:
Part 1: implementation of the captcha widget on the page. This is relatively straight forward requires some Javascript but the documents provide by Google are clear and concise. After implementing the captcha one may be under the impression that all is good. After all one wont be able to submit the form without completing the captcha. But this is not the case. It is very easy to make a request directly to your endpoint without using the form. Assume your form action is '/contact-form-submit.php'. All one needs to do with JS, create a form on your localhost or any other host and then submit the form to 'http[s]://yourdomain.com/contact-form-submit.php' and voila! the form is submitted without ever seeing the captcha. This can easily be diagnosed by viewing your server logs and looking for the time stamp of the form submission, and seeing if there is a corresponding request to your contact form page. If there isn't then the spammers are doing as I describe.

How to fix this? I said there were two parts...

Part 2:
Once the form is submitted using the recaptcha, the widget appends an additional form field named 'g-recaptcha-response' to form that is then submitted to your site. This additional field holds a random-key value. Now as soon as the request is received, you need to make a request to the Google api endpoint with the that key value, your secret key value and the the IP address of the user that submitted the form. Google will then return a response letting you know if the request is valid or not. Like this, if a spammer submits a form to your '/contact-form-submit.php' endpoint without filling in the captcha Google will flag it and you can return an error or forbidden response to the request. If it is valid you continue handling the form as you did previously.

This second part is often missed, and without it really renders the captcha useless, because all it will achieve is to piss-off your users that really want to contact you while being ignored by the spammers you actually trying to block.

Now 5 hits is not a lot and this could easily be achieved by humans. So what I describe above may not be your issue. But in my experience, spam is typically generated by bots and other automated processes and 5 may soon become 500. It is worth checking your implementation.

Good luck
8:11 am on Dec 5, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Thanks for the input NickMNS +
I have been using reCaptcha on several main websites for last 2 years and its been tested and configured correctly with they own keys, so I know its all ok.
Am just highlighting the jump in the last week form these sources and how to stop this, as seem reCaptcha is the problem here and hoping Google employee(s) who frequent the ww.forums are around to discuss further.
8:53 am on Dec 5, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9233
votes: 780


The tech wars between good and bad leap frog all the time. I don't have a hard and fast answer, but I suspect g will expend some of their brain trust dealing with the uptick pretty quickly. When? Your guess as good as mine.

Because it is a g product the bad actors will target it tooth and nail.

There is no such thing as "unbreakable".

If it can be conceived by a human mind, another will figure it out. Can't remember who said that, but was said at least a hundred years ago. Goes hand in hand with the monkey see, monkey do, but not sure that is allowed under PC these days. And that has been around considerably longer. :)
1:28 pm on Dec 5, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2409
votes: 640


as seem reCaptcha is the problem here

You haven't presented any evidence to this affect. You said in your OP:
In the space of a week had 5 hits of spam from this sources

5 hits a week is very much in the realm of human generated spam. ReCaptcha is intended to "stop" bots not humans from spamming. I quote the stop because it is not guaranteed to stop all bot spam but simply slow them down to an extreme that renders the use of bots pointless.

Had you said I had 5 hits in one minute or maybe one hour then one oculd argue that maybe something is broken.

What do your logs tell you, did the message come from the form on your website or was the request submitted directly to your endpoint? Where there many attempts a made to send form made?

What does the reCaptcha analytics tell you? Have there been many failed attempts?

Captchas are not the be all or end all of spam/bot protection, not even close. They have a limited scope and their use comes at a steep price (annoying users). Are you blocking known bad bots. For example have you blocked the IP's of the spam messages after your have received them? Are you blocking IP's after many failed attempts of submitting the form?
8:50 am on Dec 6, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


@NickMSN you are right not a much in way of evidence, but I answer it like this.
Google reCaptcha has been running on multiple wp sites and configured working and tested over the past year.
These sites have several 1000s spams blocked and logged using the flamingo/c7 form plugin.

So I get a feel how much spam and real human submission get on each site.
On any given site we probably get one lead/human submitted enquiry a week!

This week so far, had 5 spam submissions all of them selling manner of crap nothing todo with what the site(s) is about and
Secondly most of these spammy submissions are form @mail.ru address entries.
And Thirdly, all human submission enquiries reflect the industry the sites target and thus the real-human submission engages with response on that particular industry work in.

I havent looked at "reCaptcha analytics" so thx for pointing, forgot all about this.

I agree the recaptcha are not the solution to all the block-spam contact form submissions, but in past year they where doing a pretty good job, hence highlighting the jump in leaked spams into the inbox in the past week as its not normal for reCaptcha to have missed this at all.

Again, hence am highlighting this and seeing if the community has seen same results and G.reps have anything to say about it!

Once again...Thanks for the input :)
2:00 pm on Dec 6, 2018 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:536
votes: 47


I run multiple WP sites, all of which use C7 and Recaptcha, and have somewhat solved this large and troublesome problem. I feel for your pain. There are Russian and other bot farms out there that I ban, and this helps a lot. Instead of simply deleting spam I study their IP and method, and ban accordingly. It is a lot of work, but there is a finite source of bad bot farms, so the more you ban the less spam you get. Though the world is large, most spam will come from very few sources.

That being said after years of working on reducing spam I still get spam weekly, maybe 2-3, along with legit posters. Some spam will be people that will bypass all Recaptcha. I have read that there are anti-recaptcha people farms in India that specialize in this bypass method. When I think my life sucks I think of these poor people.

This is not the proper WW forum to post in for this problem. Post in the WP or the Apache section. What measures have you done in your htaccess? What is captured in your raw access log? Do you log request headers? We can help, but visibility is lower in this forum section.
2:34 pm on Dec 6, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Thx muchly TorontoBoy

Wasnt to sure where best to post after browsing quickly where best to post and only posted here as saw similar post only in this /foo/ forum section hence its here...
Maybe a moderator can move to right section.
But years ago there was a Google section but i guess this went away.

My WP sites have vhost configuration restrict access to all areas non-admin should have to including wp-admin, login.php, uploads (csv, pdf, xls,docs files) etc. SO hardening has always been there for WP & Apache.

recaptcha was doing such a great job so far, that i didnt have to worry about these farms bots at all to worry about maintaining a RBL (blacklist).
Now that you highlighted about the human input data entry centers, thats a headache I have to overcome now.

But liek to update all on this:

After implementing couple steps I mentioned in my previous posts in this thread,I haven't seen much in way of new submissions so maybe banning @mail.ru and setting textarea min/max length has helped.
Or maybe it was just a blip, who knows we will see how it goes.
11:59 am on Dec 7, 2018 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Just had a new submission from <snip> source.
Are samples allowed to be posted here, i will change specifics

[edited by: engine at 12:07 pm (utc) on Dec 7, 2018]
[edit reason] Please, no specifics [/edit]

3:55 pm on Dec 7, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2409
votes: 640


@Aleon you may want to take a look at this thread on the wp forum regarding your specific plugin:
[wordpress.org...]
4:09 pm on Dec 7, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2409
votes: 640


I want to add. What is described in the thread is that the content of the form is saved directly to the db. This behavior has the potential to be a very big security vulnerability. You need to check whether or not the contents of the forms is being checked, or parsed to prevent the inclusion of special characters such as "{ }" as this may provide an opportunity for an sql injection attack. I can't imagine that developers have not accounted for this but it must be checked. You must also determine how/where it is done, because if they are depending on the client side JS to do this then the vulnerability will still exist as evidenced by the poor reCaptcha implementation.
9:25 am on Jan 7, 2019 (gmt 0)

New User

joined:Dec 4, 2018
posts: 3
votes: 0


Just like to update all.
Have now updated to v3 of recaptcha and this seesm to have steamed the flow of spam.