Website getting lots of spam messages on contact form

Forums › IT Pro and developers › Website getting lots of spam messages on contact form

jordan8thepie1

56 posts

Master Geek

#319074 19-Mar-2025 20:57

A small business I work for part time for has been getting an increased number of spam messages from the contact forms on both websites it hosts. Both forms do have a captcha on them.

We've had at one point 10+ messages a day which clogs up our enquiry view page.

The websites are https://grandtraining.co.nz and https://computerlearnningcentre.co.nz

Would anyone know of a way to cut down the number of spam messages from the contact form?

If anyone knows of a way to stop html from being rendered in the message field that would be good also. Quite a few of the html code which is rendered in the message field. I've also seen a few images in spam messages also.

Contact form

You can see in the Code that html is being rendered on the page.

This image is an example from of the spam enquiries

We do use Cloudflare free plan on both websites.

If anyone has any ideas or suggestions that would be great.

jordan8thepie1

56 posts

Master Geek

#3355355 19-Mar-2025 21:01

Every time someone contacts us through the form an email is sent to us with the details.

because an increased number of them are spam and the content is spam the messages have started to appear in the spam folder.

mattwnz

20145 posts

Uber Geek

#3355357 19-Mar-2025 21:17

Contact a web designer or whoever set it up it is probably using an old form to mail script that had been hijacked

jordan8thepie1

56 posts

Master Geek

#3355365 19-Mar-2025 21:43

We have contacted the original developer but he is busy with his current job. Was trying to avoid contacting another web developer as budget is tight. but can look into that.

When someone submits the form the data is stored in the sites database and then a function is called to send the data in an email to us. and a template to the customer.

The contact form uses the formValidation JavaScript library https://formvalidation.io which is run when the submit button is clicked.

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#3355367 19-Mar-2025 22:01

Upgrade your hCaptcha account to another level or try a different provider.

The Enterprise level specifies: "Fine-grained difficulty levels - Dial this in to exactly fit your use case." That sounds like what you want.

The reCAPTCHA v3 docs state: "reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). Based on the score, you can take variable action in the context of your site. Every site is different, but below are some examples of how sites use the score. As in the examples below, take action behind the scenes instead of blocking traffic to better protect your site"

You want to adjust your score level of what you allow through. My very low traffic site has a score setting of 0.5 & we get no more than 2 SPAM emails a week.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3355379 19-Mar-2025 22:56

@jordan8thepie1 why is there cyrillic and links to blogspot on your page screenshot?

I don't see that when I load on my sandbox.

Are you using some extension that introduces that?

I tried sending a message without filling the captcha and it seems to be working - it blocked me when I did not confirm it.

jordan8thepie1

56 posts

Master Geek

#3355382 19-Mar-2025 23:05

I should have been more clearer

the code snippet is from a backend administration page on the site that lists all of the data from the contact form. It shows the code that's being sent in the message field.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3355383 19-Mar-2025 23:11

Are you sure this is coming from the contact form?

Are you sure this is not a SQL injection?

Is the captcha being validated on the page script only or back on the server?

Or a direct POST to your server, bypassing validation?

Does the server validate the form, or is this only on the page?

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

jordan8thepie1

56 posts

Master Geek

#3355387 19-Mar-2025 23:43

We're pretty sure it's not sql injection because we're still reviewing the email with submitted details and also getting a bounce back on the customer emails.

The captcha is validated on the server side through a function inside the controller file for that page.

Thr captcha code in the form Validation script at the bottom of page is for the not used legacy captcha that was originally on the site when we launched it.

Form Validation i think might be done through Javascript at the bottom of the page. But then there is some validation done on the pages controller file also.

I wouldn't know if it was a direct POST as haven't tested that. But captcha validation is all handled server side.