Author Topic: Trouble with spammers slipping by reCaptcha? New contactLP script is available.  (Read 590 times)

0 Members and 1 Guest are viewing this topic.

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
I'd been running the Google reCaptcha V2 contact script on my main site and 18 regional network sites for quite a while with very few spam issues.  Apparently, the evil ones have figured out a way to (by automation) get reCaptcha to use the audio prompt challenge, record the challenge and submit to Google's speech-to-text, and feed the text back to the challenge, which then succeeds and the spam message is sent.  I was getting more than 30 a day, many with odd nonsense content related to books.

Recently, Pierre Fauque released a Login Pad challenge .. uses JavaScript to populate a dynamic pad of 16 buttons with 10 digits randomly placed.  The button's must be clicked/touched to activate, so it seems to be fairly resistant to automation solving it.  I've updated my site (and the 18 regional sites) with the new script, and behold, no more auto-spam :)

The Login Pad contact form is available at https://saratoga-weather.org/scripts-contactLP.php#contactlp for standalone/Saratoga template use.  Also available on GitHub at https://github.com/ktrue/contact-form-loginpad

Enjoy!
Ken
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
Hi Ken,

Interestingly, I too have seen a dramatic increase in SPAM via the old "Secure Contact Form" using reCaptcha on all of my websites that I use it on. I have looked at the new one you are linking to in this thread. However, I have a need to be able to have multiple selections in several of the fields as well as the ability to have those forwarded to the selected recipient. The new contactLP form doesn't seem to have such capabilities so I'm stuck using the old form until I can figure out a way to fill my needs. Any thoughts on this matter?

Hope all is well with you and your family.
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
Hi Don,
Mike Challis had discontinued support for the Fast Secure Contact Form a while back (2018 as I remember).  I'm going to take a look at adding the LoginPad option to the script set and will let you know if I have success :)  I just intend on adding another captcha option to the set (not removing the two that currently exist).

Both wife and I finished our 2nd Pfizer shots two weeks ago.  We are remaining mostly shelter-in-place and following the guidelines.  Our county is now in 'Red' tier and some re-openings have been allowed, but we're still using take-out for restaurants for the indefinite future.
Stay healthy!
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
Hi Ken,

If I had the programming knowledge you have, I would have tried doing what you are thinking about doing with Mike's old software. I really like it and have used it on several of my websites. Porting the LoginPad would be ideal, if it can be done.

Barb & I will be getting our 2nd covid shots next week. Neither of us had any reaction to the first one other than a sore arm that cleared-up in a couple of days. We too have pretty much stayed inside except for necessary shopping. I do hope all of this goes away quickly now.

Best regards,
Don
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
I'm almost done with the mods to the Fast Secure Contact Form - PHP.  Just a few more things to chase down, and I'll have a release for you later today. :)

It's been fun wandering through Mike's coding and (re)learning how PHP class structures work IRL.  The LoginPad class had to be changed quite a bit to work within the FSCF structure.  Each form on the admin page now offers a 'Use LoginPad Captcha' checkbox, and an entry to put the numeric key to display for the LoginPad captcha challenge.  This is all based on Mike's 3.2.1 FSCF release (which I think is the last one he did).
I've also removed a bunch of (now dead) links to the fastsecurecontactform site.
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
This is great! Can't wait to see your results. I'll watch for your update later today. Have a couple meetings over the next few hours so won't be able to look at it until late this afternoon.

I much appreciate your efforts (as always) on getting Mike's old code working with the new Login Pad code.
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
Sorry for the delay.. had the grandkids over for dinner last night.  I've got it working, just not the 'no more tries after N failures at the captcha', but I can live with that.

Download the package from https://saratoga-weather.org/fscfLP-3.2.1a.zip
Unzip the ./contact-files/ to your ./contact-files/ on your website.
Add the following CSS to the page that invokes the FSCF form:
Code: [Select]
/* styles for loginPad captcha */
.input p { font-family:arial; font-size:1em }
.input a { text-decoration:none }
.input { width:140px; margin-left:50px; padding:10px; background-color:#B0FFB0; border:1px solid grey }
.db { width:33px; height:33px }
.db a:hover { color:red !important; }
.challenge {
 font-family:arial;
 font-size: x-large;
 margin-left: 50px;
 border: 2px blue solid;
 padding: 10px;
}
.input input[type="button"] {
  border-radius: 10px !important;
  font-size: x-large !important;
  width: 33px !important;
  height: 33px !important;
  border: 1px solid black !important;
  color: black !important;
  margin: 1px;
}
.input input[type="button"]:hover {
  color: red !important;
}
.input input[type="submit"] {
  border: 1px solid black !important;
  color: black !important;
}
.input input[type="submit"]:hover {
  color: red !important;
}

.input input[type="reset"] {
  border: 1px solid black !important;
  color: black !important;
}
.input input[type="reset"]:hover {
  color: red !important;
}

.input input[type="password"] {
  border: 1px solid black !important;
  color: black !important;
}
Run the /contact-files/admin/ page and edit the form .. under Captcha,
tick: Enable LoginPad CAPTCHA.
change: LoginPad code: to a 8 digit number of your choice (or leave it if you like).  Use digits from 0..9, but don't repeat a digit (they should be unique).
Press the Update Options to lock in your selection.  Then View the form (and try it out).

These are the changed files from the 3.2.1 version:

contact-files\admin\style.css
contact-files\admin\contact-form-admin.php
contact-files\admin\contact-form-do-test-mail.php
contact-files\admin\index.php
contact-files\admin\lost-pw.php
contact-files\attachments\.htaccess
contact-files\captcha\cache\.htaccess
contact-files\captcha\securimage.php
contact-files\install\index.php
contact-files\phpmailer\PHPMailerAutoload.php
contact-files\settings\.htaccess
contact-files\settings\version-check.txt
contact-files\style.css
contact-files\contact-form-ex-fields.php
contact-files\contact-form-process.php
contact-files\contact-form-run.php
contact-files\contact-form-display.php
contact-files\contact-form.php

The .zip file DOES NOT include settings, so first time users will need to run ./contact-files/install/ first.  For an existing installation, it's safe to replace files on your copy, it will not clobber any ./contact-files/settings/fsc*.php files already configured.

Whew...
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
Thanks Ken am going to try it now. However, one quick question. In the section above "Add the following CSS to the page that invokes the FSCF form:" I'm not sure exactly which file you are referring to. I call the contact.php file in my root from a css3menu item.
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
It's in the file on your site that has something like
Code: [Select]
<?php
$contact_form 
1// set desired form number.
$contact_form_path $_SERVER['DOCUMENT_ROOT'].'/contact-files/'// set path to /contact-files/ with slash on end.
print "<!-- p='$contact_form_path' -->\n";
require 
$contact_form_path 'contact-form-run.php';
?>


That's the file that needs the extra CSS in it's <head> section.
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
Okay, thanks. I'll let you know how it goes.
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline W3DRM

  • Forecaster
  • *****
  • Posts: 3332
    • Carson Valley Weather
Well, I must be doing something wrong as I still see the old form displayed and no reference to the new LoginPad CAPTCHA. However, in Admin mode, I see in the upper right corner below the header "Version: 3.1". So, I may not be using the latest distribution of the FSC Form.

I'll look around and see if I can find v3.2.1 which I think you said was the last version Mike released.

I have a dinner/meeting to to go to shortly so won't be able to do anything more on this until tomorrow. Thanks for all of your work, I hope I can get it working.
Don - W3DRM - Minden, Nevada --- Blitzortung ID: 808 --- FlightRadar24 ID: F-KRNO2
Davis Wireless VP2, WD 10.37s101,
StartWatch, VirtualVP, VPLive, Win10 Pro
--- Logitech HD Pro C920 webcam
--- RIPE Atlas Probe - 32849

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 8423
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
You can replace the contents of ./contact-files/ with the .zip contact-files/ , and upload EVERYTHING.  It won't clobber the ./contact-files/settings/fsc*.php settings files.
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Boltek-PCI/NexStorm, microSferics ToA, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge/hub
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP