Form Builder - Spam With Recaptcha
Marius Lindemann
Hello everyone. I've recently had the problem that we've been getting a lot of spam emails via the contact form, even though we've been using GoogleRecaptche v3 (invisible) for years. Could it be that an update has recently opened something there?
I've had to hide the contact form for now so that the flood of emails stops.
SP Page Builder 5.3.6. Joomla 5.1.6
Website: www.jugendgruppe-oker.de
Chris Nichols
Accepted AnswerI'm having the same issue, the messages are all exactly 3 minutes apart, and are mostly in Greek.
Daniel
Accepted AnswerIm having the same issue on multiple websites as well... Recaptcha weirdly scores the messages really high as well (0.8 - 0.9)... On other websites with third part contact forms (same recaptcha though) this problem doesnt occur...
Sensible IT Solutions
Accepted AnswerHaving the same issue on older websites (4.3.4 running SP Page Builer 5.0.8) and newer ones (5.1.2 running SP Page Builder 5.3.6)
Vanessa
Accepted AnswerI'm having the same exact issues. The characters appear to be Cyrillic as others have indicated. I have received hundreds of spam emails over the last few weeks and 85 just this morning.
I am on Joomla 4.4.4 running SP pagebuilder 5.3.0.
Chris Nichols
Accepted AnswerWhichever bot farm is behind this, they've really increased the volume now, 400 plus overnight, all in Cyrillic.
Daniel
Accepted AnswerAs a temporary solution (other than disabling the contact form) - you can block this spam bot (for now) by adding this code to your .htaccess file. These IP's was sending all the spam to all the websites I suddenly got this spam problem with.
<RequireAll>
Block specific IP addresses
Require not ip 191.96.168.193
Require not ip 165.231.182.63
Require not ip 165.231.182.11
Require not ip 143.244.41.231
Require not ip 196.196.53.54
# Allow all other IP addresses
Require all granted</RequireAll>
In addition to this I can really recommend using the joomla plugin from cleantalk.org. I think they still offer 7 days trial, which comes in real handy now... :)
Mighty Oak
Accepted AnswerHi I am having the same problem, to the point where I have had 3 customers contact me regarding this issue. Further my host Ionos has now blocked all sending of emails from all my customers, this needs addressing immediately!
Toufiq
Accepted AnswerHi there,
Thank you for reaching out, and I apologize for any inconvenience this may have caused. We're close to resolving the issue and will release the fix as soon as possible.
Best regards,
Toufiqur Rahman (Team Lead, Support)
Vanessa
Accepted AnswerWill the built in default captcha work in the interim? The one where you put in two numbers and the answer, and and is the problem specific to google captcha plugins/joomla? Looking for a temporary workaround while you fix it.
Kim
Accepted AnswerYou can add the following IPs to your banned list (spam received this morning) :
167.65.231.182.112
165.231.182.11
ideal-heim-bau
Accepted AnswerWanted to post about that as well, glad to see that we are not a specific target by these bots. Recieved about 8000 requests through the form this weekend, until IONOS deactivated our webspace mail automatically. I dont think blacklisting IP Adresses is a sustainable solution. Saw that a staff member replied that they are working on the problem, so I hid the form for now, while telling customers to just write an e-mail directly. If there wont be a fix soon, I will check out cleantalk.org as Daniel suggested, thanks Daniel.
Daniel
Accepted AnswerNo, of course blacklisting the IPs isnt a sustainable solution, but it does the job for now as we wait for a solution from Joomshaper. I have 7 different customers experiencing this problem now, and a combination of blacklisting the IPs and cleantalk has solved this problem - temporary.
Toufiq
Accepted AnswerWe have solved the capctha issue. Hold on for the next release.
Initial solution: Use the default number captcha system.
REMO
Accepted AnswerHello Toufiq, No the problem has not been solved, we are still receiving mass spam, despite an update of SP Page Builder Pro version 5.3.6, both with Google Recaptcha and also with the default number captcha system. Please solve this problem as soon as possible. Thank
Toufiq
Accepted AnswerWe have solved it in our development environment. We will release it next week.
Initial solution: Use the default number captcha system.
Marius Lindemann
Accepted AnswerThe default number captcha isn't a solution. We also get the same spam with it!
REMO
Accepted AnswerI'm agree with Marius. Why are you giving false information, please solve this problem as soon as possible. Why pay for the pro version if it's buggy?
ideal-heim-bau
Accepted AnswerHello @Toufiq
Can we still expect this Update to be released this week?
Thanks.
Artur
Accepted AnswerChange your form to this one. Turn on recaptcha and spam will disappear. https://www.tassos.gr/joomla-extensions/convert-forms
How
Accepted AnswerYeah, for me it's too late because we've been blacklisted on Gmail, where the forms were supposed to be sent. I have major complaints from my client and don't know what to do.
I see the problem is with an additional address added by spammers, so the form is being sent to two addresses: the correct one defined in the form settings and the additional one added by spammers. There is no stright problem with CAPTCHA because emials are sent corectly but for additional spam address too. There should be no possibility to put any additional receiver address in form. Anyway, this vulnerability is also present in previous versions of SPPB (I had version 3 on one old page).
Toufiq
Accepted AnswerPlease check the latest version. Thanks
Elliot Block
Accepted AnswerI downloaded the latest version, installed the hcaptcha plugin, configured the hcaptcha correctly. Litearlly within one minute, the spam emails started again.
There is also no sitekey traffic shown in hcaptcha so the spammers are using some kind of workaround to get around the captcha.
This is not acceptable... can some attention be placed on this please??
Elliot Block
Accepted AnswerYes, it occurs with either captcha plugin and both are properly configured.
Steve
Accepted AnswerHello everyone! I have the same problem here! I use “SecurImage” as a captcha and it is set up correctly. This has also worked reliably for years in combination with, for example, “Contact Enhanced”.
With “FormBuilder” in the current PageBuilder 5.3.7, however, my customers had around 1000 SPAM messages again over the last weekend. Some of them received Cyrillic SPAM mails every 2 to 3 minutes. It seems that the captcha can be bypassed.
Please check this as soon as possible! Many thanks in advance!
Toufiq
Accepted AnswerWe didn't add compatiblity of this extension. You need to check this documentation.
https://www.joomshaper.com/documentation/sp-page-builder/configuring-hcaptcha
Steve
Accepted AnswerThanks for the tip Toufiq, the captcha "SecureImage" is set as default and selected as third party in PageBuilder. It works - I have tested it. The form cannot be submitted without entering the correct captcha.
As Elliot Block wrote above (https://www.joomshaper.com/forum/question/34449#qa-answer-167059), it looks like the integration of the old captcha (numbers, as well as the new integrations) can be bypassed.
In addition: I would like to be able to choose a third-party provider and not have to create and pay for new accounts from predefined providers. This is not possible with a large number of customers. In addition, the “SecureImage Plugin” does not use an external service, but works locally on the server (keyword “privacy”).
Many thanks and best regards
Marius Lindemann
Accepted AnswerI also installed the new version and then reactivated the contact form with the supported captcha. Within a very short time, SPAM emails were sent again via the form.
Please finally put a stop to this problem. You get money from us users for the PageBuilder and it is used on countless productive websites. A security problem like this over two weeks can no longer be explained to customers in good conscience. In addition, orders are lost as a result.
Chris Nichols
Accepted AnswerI've had great success installing CleanTalk on my sites.
One site in particular seems to be being targeted. CleanTalk has very successfully filtered legitimate from spam messages via the contact forms.
The 3 rows are Today, Yesterday and Week
Klaus
Accepted AnswerHave the same problem for about 3 weeks now, update didn't work, just trying the addon - looks good for now. @Joomshaper - do you know when a fix will be there or even where the problem is?
Mighty Oak
Accepted AnswerWHY IS THIS NOT A PRIORITY ??? When will this be fixed? This problem has been going on for over a month now and my customers are very annoyed. I have no way of fixing the issue and they are losing business and I will lose my customers if this is not dealt with. Why are you not taking this seriously?
How
Accepted AnswerGuys, just remove that addon from the site and use something else for forms. I know it may be a lot of work, but it will definitely be faster and safer than using SPPB forme builder. I lost one client permanently and am having issues with two others.
Anyway, because of this problem, I started looking for another form builder and found something better, where the developer also offers a page builder. After testing, I’ve decided not to purchase SPPB again. There were too many issues, and that CMS is still far from perfect. Sorry to say that.
Toufiq
Accepted AnswerCould someone please provide me with a staging site to resolve this issue more quickly? I have checked it on my own server but couldn't identify the problem. I apologize for the inconvenience and need your assistance. I'll aim to have a hotfix ready by tomorrow.
Marius Lindemann
Accepted AnswerI don't understand why, with such an error that affects all users (and is therefore a programming error and not a setting error on the website), the admin access data for the websites is required. Not very secure and not data protection compliant.
I have activated access data for one website. See below
Michael Koch
Accepted AnswerYou can take access from my site. I have the same problem since month. we get daily about 10K Spammers on my site! We have RSFirewall - so this semms to be save for the moment.
P.S. Maybe you fix btw my anther problem from here ... https://www.joomshaper.com/forum/question/34764
Vanessa
Accepted AnswerBecause of this unresolved ongoing issue for the last month+, my hosting company has disabled the form on my website to prevent it from being blacklisted. I pay a subscription to use JoomaShapers proucts and this product has not been working for longer than acceptable.
I am due to renew my Joomshaper subscription and would like to know what will be done to compensate your subscribers for this issue that has had no effective resolution, has caused clients and business to be lost, and has ruined the reputation of your subscribers.
Thank you
Chris Nichols
Accepted AnswerI just think everyone needs to stop just relying on reCaptcha as the sole method of stopping SPAM. Just do a quick Google search on how to bypass reCaptcha. This very issue is being discussed on Wordpress forums as well.
This is an example of what we're up against:-
Steve
Accepted AnswerThe problem here is not only with reCaptcha. Other captchas do not work in PB either and can be bypassed.
Chris Nichols
Accepted AnswerThis website offers services to solve most other captchas. https://2captcha.com/
Marius Lindemann
Accepted AnswerHey Toufiq how is the progress with the bug fix? Another two days without an update and more annoyes costumers as well.
No one loged into the website since I provided the login...
Toufiq
Accepted AnswerPlease check this version.
https://drive.google.com/file/d/1IQ7xlEGjA128jDs6_fveerEBuJsm21Su/view
Marius Lindemann
Accepted AnswerI've installed this update on two websites and reactivated the contact form on both sites. No Spam-Mail the last three days. Should be an official update soon.
And please also introduce support for the standard Joomla Captcha so that there are alternatives to Google.
Off-Topic to "Hidden Content": The thread creator can also see all hidden content in the thread. Not only the staff. Not safe, should be changed.
Georgios Chatzigeorgiou
Accepted AnswerSame problem here, no matter which type of protection i use, spams keep coming in cyrillic. Is it safe Toufiq to installa the version above?
Georgios Chatzigeorgiou
Accepted AnswerI've downloaded it and since then no spam arrived. Good news. We are expecting an official update on that. Thank you.
Paul Pownall
Accepted AnswerI have installed the latest version from the link above and i can confirm still getting spam.
ONITdev, Lda.
Accepted AnswerHi! Yesterday we started to have spam sent from one of our websites (hundreds of them). To stop this, w had to take the site offline for a few minutes. After that we found this thread and applied the SPPB version that Toufiq provided above. So far, 16 hours later, no SPAM was received.
We'll let you know if SPAM starts again.
Georgios Chatzigeorgiou
Accepted AnswerToufiq, it's been 2 days since i installed the new version. The spam has been significally less. i got like 3 or 4 spam emails. In my case the problem is 99% solved. my site is www.getcert.gr
Steve
Accepted AnswerHello Toufiq, I have installed the update 5.3.8. Two minutes later, the SPAM messages immediately reappeared on the customer pages. The problem is NOT solved. The PB-default was set as the captcha.
Toufiq
Accepted AnswerCould you kindly grant me access to your Joomla administrator area so that I can investigate the issue you're experiencing? Prior to providing access, please ensure that you have backed up your site. Additionally, it's important to note that providing login credentials is entirely voluntary on your part; we respect your decision either way. However, if you do choose to share the login details, it would greatly expedite the resolution process. Thank you for your cooperation.
Toufiq
Accepted AnswerAdded invisiable re-captcha. Please wait & see your spamming issue. Let me know if you got spamming. Thanks
Toufiq
Accepted AnswerI have disabled the invisible re-captcha. Please use the hcaptcha. We will try to implement new captcha function in the future update. Thanks
Joe Lockhart
Accepted AnswerI'm still having issue with new SPB. let us know when this will be addressed please.
Joe Lockhart
Accepted AnswerThe spam issue. my site is still getting spam even with the new SPbuilder version.
Joe Lockhart
Accepted AnswerI used the default 3+4 but that didn't help. It got so bad I had to turn it off.
I'm not the only one this is happening to.
Hope you can get this fixed.
Steve
Accepted AnswerHello Toufiq, is there anything new regarding the new or Joomshaper's own captcha version?
I have had to hide the contact forms for almost all my customers because they were receiving hundreds of SPAM mails every day.
Unfortunately, Google Captchas are not an option for us in the EU and hCaptcha cannot be used in the EU without a new privacy policy. See the post (#168246). We cannot expect this effort from our customers.
I would therefore welcome an update after 4 weeks. Surprisingly, the last two releases did not include a solution for the SPAM problem. This would certainly be an absolute priority not only for me - as your long-standing customer - but also for many of your other customers...
Many thanks in advance and best regards...
Toufiq
Accepted AnswerWe encountered a recurring issue with form submissions, but the problem with multiple simultaneous submissions has now been resolved. We believe the latest release also addresses the spamming concerns.
Steve
Accepted AnswerHello Toufiq, thank you for your quick reply and also thank you for the latest release.
However, please be assured that the SPAM problem has NOT been solved.
This morning I had to hide another customer's form after he received 800 SPAM messages in one night. This concerned the latest version of PagebUilder 5.4.2, which I had updated yesterday, 29 October, immediately after its release. So the problem still exists.
There is no GDPR-compatible SPAM protection (except numeric question) on the part of the PageBuilder, which is best loaded directly on the corresponding system - for example ‘SecureImage’.
Many thanks and best regards...
H
Accepted AnswerSince yesterday I have the SPAM problem on one of my websites: www.zorgboerderijwillemshoeve.nl. Using SPB 3 without captcha.
Have switched off the contact form.
H
Accepted AnswerImplemented invisible re-captcha 1 hour ago. Spam traffic stopped immediately.
Seems to work.
Thnx
H
Accepted AnswerI followed an article on Internet: https://www.joomshaper.com/blog/google-recaptcha-joomla-contact-forms-integration
Toufiq
Accepted AnswerGenerate your invisiable captcha code first then use this key inside the invisible plugin.
Toufiq
Accepted AnswerCould you kindly grant me access to your Joomla administrator area so that I can investigate the issue you're experiencing? Prior to providing access, please ensure that you have backed up your site. Additionally, it's important to note that providing login credentials is entirely voluntary on your part; we respect your decision either way. However, if you do choose to share the login details, it would greatly expedite the resolution process. Thank you for your cooperation.
Steven Gourlay
Accepted AnswerHi yes please see
Toufiq
Accepted AnswerClean your server cache and check again. If it works then you need to keep a backup of this file. Cause, this is not our product problem. This problem comes from the Joomla.
/media/plg_captcha_recaptcha_invisible/js/recaptcha.min.js
Added this code.
/**
* @package Joomla.JavaScript
* @copyright (C) 2019 Open Source Matters, Inc. <www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/((a,s)=>{a.JoomlainitReCaptchaInvisible=()=>{const c=["sitekey","badge","size","tabindex","callback","expired-callback","error-callback"];Array.from(s.getElementsByClassName("g-recaptcha")).forEach(t=>{let e={};t.dataset?e=t.dataset:c.forEach(i=>{const r=`data-${c[i]}`;t.hasAttribute(r)&&(e[c[i]]=t.getAttribute(r))}),t.setAttribute("data-recaptcha-widget-id",a.grecaptcha.render(t,e)),a.grecaptcha.execute(t.getAttribute("data-recaptcha-widget-id"))})}})(window,document);-Thanks
Steven Gourlay
Accepted Answerthanks i think that is working now can you explain what you did please, it is a configuration with my hosting company?
Toufiq
Accepted AnswerIt's not problem of your hosting. This problem comes from main Joomla cms.
public_html/media/plg_captcha_recaptcha_invisible/js
Modified these files.
Michał
Accepted AnswerI have the same problem. I get this message (Invalid Recaptcha) when I want to send a message. I have tried all the methods found on this forum and nothing helps. Could you help me solve this problem?
I am currently using the latest version of Joomla 5.2.0 and Sp Page Builder 5.4.2.
I have tried using reCAPTCHA v2 and v3 keys
My site access in hidden content. Regards Michał
Toufiq
Accepted AnswerProvide me cpanel access. Captcha issue occurred for the Joomla. It's not our fault. Thanks
Michał
Accepted AnswerHi, Sorry, I didn't understand what access you mean. The problem is solved. Thanks for your help. Best regards.
Toufiq
Accepted AnswerI have udpated JS code of core Joomla plugins of captcha. It's not official. Before update the Joomla, keep a backup of this file.
media/plg_captcha_recaptcha_invisible/js
-Thanks
Swanworks
Accepted AnswerEndless spam. We exchanged the JS files today. We'll give you feedback tomorrow morning as to whether anything has improved. Another thing we noticed about the spam emails. We have a checkbox with multiple selections in the form. In the spam email the source code comes from the "Body". UP's!! the whole thing then looks like this: {{technical questions}} {{project request}} {{cooperation}} {{applications}} {{other}} {{suggestions-feedback}}
Thank you and good night to everyone involved
Toufiq
Accepted AnswerI will inform your issue to our developer team. Thanks
Note: Can you provide me one of your site acces to review the spamming issue using our email account.
mIKE
Accepted AnswerSorry to inform but we also have the same issue. the contact form provide in the sp builder is getting a lot of spams. is there solution for this yet?
Steve
Accepted AnswerGood question Mike, we have all been waiting for this very important solution for some time. Joomshaper has promised to integrate its own captcha. Hopefully the solution will appear soon - I had to remove the forms for almost all my customers. The captchas recommended by Joomshaper cannot be used for customers in the EU due to the GDPR.
Toufiq
Accepted Answer@Steve can you tell me a captcha name which is better for European Country? Thanks
Toufiq
Accepted Answer Steve
Accepted AnswerIts from the developer idealextensions.com and still supported.
-> https://idealextensions.com/products/securimage-captcha-plugin
Steve
Accepted AnswerHello Toufiq, thank you very much for your message. As I explained in previous posts, we cannot use Google services in the EU. Even hCaptcha is difficult and requires accounts and extensive information in the privacy policy for each customer. Nobody wants that!
What we need is a server-side captcha like your math task (4+4=8). This has always worked well but can still be bypassed (https://www.joomshaper.com/forum/question/34449#qa-answer-173162). In addition, it may no longer be up to today's tasks.
A good captcha is SecureImage. It runs on the server side and has many options. It can be selected in the PageBuilder (Global settings) - but unfortunately it does not work. What a pity.
Another possibility would be, as you promised, to provide your own captcha (https://www.joomshaper.com/forum/question/34104#qa-answer-167177).
To summarize after 4 months:
- Fix the mumeric captcha so that it can no longer be bypassed
- Ensure the compatibility of SERVER SIDED third-party captcha (SecureImage)
- or integrate your own captcha
With all due respect: The form builder has not been usable for months and is switched off for all my customers. Dear Joomshaper team: This is not possible. It's time to fix this. I don't need dynamic content at the moment either, but functioning and usable forms.
Best regards adn many thanks for your support...
Toufiq
Accepted AnswerWe are looking for open source project. Besides, the secure image postponed there support. Besides, this captcha has two version.
Free and Pro.
https://idealextensions.com/products/securimage-captcha-plugin
Steve
Accepted AnswerThanks Toufiq,
I think that both versions (Free and Pro) work the same in the code. Ultimately, it's about the support of third-party plugins in general.
I have been using SecureImage for a long time and can “set it globally” and use it with other forms. Even with forms from Joomla itself. Only in PageBuilder can I select it and ... it does not work. Too bad.
But hey: We have been talking about it for 4 months and there is no solution. We both can now talk about SecureImage or whatever. What about bypassing your own numeric captcha? What about developing your own captcha?
I don't have to have SecureImage. I need to have ONE captcha (server side) for my customers that works and is NOT Google or hCaptcha. And I am very sure that I am not the only one who needs this.
Massimiliano
Accepted AnswerHello, i have same issue and i can see no solution yet!
I am so happy that after years with joomla i moved to wordpress....nowdays not comparison. Also if we all know how simple the wordpress code is, compare sp page builder with elmentor...no way...
try to solve this issue at least...thanks
Toufiq
Accepted AnswerWe are actively working on new features to prevent spam.
Upcoming in version 5.4.5:
Cloudflare Turnstile Captcha Plugin – Enhance your site’s security with this plugin.
https://extensions.joomla.org/extension/cloudflare-turnstile/
Coming in version 5.4.6:
Rate Limiting Feature – Control how many emails a user can submit within a set time frame (e.g., 1 or 2 emails per minute).