Spam Record (Honeypot and Captcha doesn't work)

Level 1

Spam Record (Honeypot and Captcha doesn't work)

Hi all,

Unfortunately we have a lot of spam attacks. We already set up a honeypot field and also use a captcha field, but the spam go also through.

At the moment we use a smartlist which are delete all leads without a captcha token.
Anyway the system has to create "every minute" a lead and deleted it after that again. It's blow the database for a moment and also takes performance of the system.

I have also the feeling that the spammer takes the embed form link for do their spam attacks. So that the captcha javascript solution doesn't work.

I think, it would be create idea to block a general IP for all marketing activities.

Do you have similiar experiences? Or do you have maybe a better solution?

Thanks a lot

Level 10 - Community Moderator

Re: Spam Record (Honeypot and Captcha doesn't work)

To start, it doesn't sound like you've implemented reCAPTCHA correctly. 

You *must* validate the reCAPTCHA user response (the "fingerprint" generated on the client side) against Google's servers. You don't just check to see if the fingerprint exists on the form fill activity.

And it doesn't matter if someone bypasses JS entirely, because the whole *idea* is that without executing the reCAPTCHA JS, they will always send an invalid fingerprint, thus you know they're malicious.

(The honeypot, on the other hand, has never been useful and needs to be taken out of everybody's toolbox. It made no sense from the start against malicious attacks.)