RSForm Pro anti spam options not working

[helpwithjoomla]

I have a perplexing issue with a client site.

The site uses rsForm Pro for form submissions.

Despite my best efforts, one of the forms is still getting spammed.

Here's what I've done so far:

- Implemented ReCAPTCHA 2. That's the latest version supported by rsForm so I can't yet use ReCAPTCHA3.

- Most of the spam forms are submitted with identical first and last names. I added a bit of javascript that compares first and last names and if they match, the form submission is halted.

Each of the above measures is working properly during my testing but we are still getting spam.

So, does anyone have any ideas as to how the spammers might be circumventing my 2 checks shown above?

I'm not looking for advice about how to stop the spam. I'm looking for advice about how the spammers are beating the checks I currently have in place.

My next step will be to implement Akismet, but I wanted to reach out here first to see if anyone has any input about how my checks are being beat.

[Ch3vr0n]

The plugin is labelled as ReCaptcha2 but it supports v3 (invisible) just fine. How do i know that? Cause i'm using it myself on my own sites

[helpwithjoomla]

Thanks but that doesn't answer my question. I know R2 supports invisible.

[Ch3vr0n]

Implemented ReCAPTCHA 2. That's the latest version supported by rsForm so I can't yet use ReCAPTCHA3.

Then why shouldn't you be able to use it? You just need to request new API key's for v3. The best advice is to stop them. There's only 1 way to know how they're beating the spam check(if they're doing that), is to ask them. But i'll doubt you'll get an answer.

[sozzled]

There's only 1 way to know how they're beating the spam check ... is to ask them.

Great answer! I must try that ...

[helpwithjoomla]

Can you post something helpful sozzled?

[helpwithjoomla]

Ch3vr0n

Are you using v3 or Invisible?

I found this from RSJOomla posted 3 months ago, so it may be outdated:

ReCAPTCHA 3.0 is NOT Invisible Recaptcha.

There are 3 types of Google Captchas:
- 2.0 which is the checkbox style - developers.google.com/recaptcha/docs/display
- Invisible which only shows up when needed - developers.google.com/recaptcha/docs/invisible
- 3.0 which is more complicated and has to be used on the whole website for best results as it learns from the behavior of users and computes a score that you can use to check if a user is legitimate or a bot - developers.google.com/recaptcha/docs/v3

Joomla! does not support (yet) 3.0 - it supports 2.0 and the Invisible mode.

If you are indeed talking about Invisible Recaptcha, please note that the RSForm! Pro v2 ReCAPTCHA Plugin has been supporting the Invisible mode before Joomla! did (as my colleague said - set "Size" to "Invisible" from the field's properties).

Anyway, we are getting off topic. Would still like feedback about how my checks might be circumvented.

[sozzled]

What was wrong with my comment? I was agreeing with @Ch3vr0n.

But, seriously, if you want to know why people are able to bypass your "security" mechanism(s)—that seem(s) to consist of having a publicly-facing form whose only protection is CAPTCHA—then you may need to re-think your choice of using publicly-facing forms altogether.

The simple fact is this: if you have a form that is presented to the public (i.e. anyone can fill a form and submit it without having to register an account and login) then anyone can use the form for anything. It's really that uncomplicated.

However, if you're asking us how it is that people are able to bypass CAPTCHA, that's a whole different question and, as @Ch3vr0n wrote, if you want to know how someone is able to bypass CAPTCHA, why don't you ask them? Good luck.

[helpwithjoomla]

Good grief sozzled.

having a publicly-facing form whose only protection is CAPTCHA,

That's incorrect. CAPTCHA is not the only protection in place as I noted in my original post.

then you may need to re-think your choice of using publicly-facing forms altogether.

The forms are needed and we can't rethink whether or not to use them. The forms generate new clients and business.

However, if you're asking us how it is that people are able to bypass CAPTCHA, that's a whole different question and, as @Ch3vr0n wrote, if you want to know how someone is able to bypass CAPTCHA, why don't you ask them?

That is what I'm asking and it would be best to keep on topic with your replies.

How do you propose I ask a spammer who is submitting bogus information? Please don't answer the question, just consider it.

I won't respond to you again sozzled. You are taking this conversation way off topic and that's not necessary.

[Ch3vr0n]

Well apparently i wasn't. Could have sworn i was. Checked console. Apparently invisible is v2. My apologies! checked my console. One's listed as using v3 but that domain is in development and not live yet. i'll have to check where the api key's are used.

That said, is the recaptcha anti-spam visible on the forms? (i mean the "image") What type of form is it? Just a standard contact form? registration,... Though since RSForm pro is in active development, this may not be the best place to ask. I would recommend asking the folks at RSJoomla, they're pretty much the only ones that can fully understand things, since they wrote the thing.


Found the post you're likely referring too: https://www.rsjoomla.com/forum/37-rsfor ... ha-v3.html

Joomla will need to add support first before developers can get on board to this. But that doesn't clarify why one of my sites (which runs joomla) is listed as using v3 and has 1 hit in the console. Probably a false positive.

[sozzled]

@helpwithjoomla: Do you know what a public-facing form is? If you can't answer that question then you won't get any help.

If you believe that any website can remain spam-free simply because it employs CAPTCHA for "protection" then I think you are being naïve.

I'm not talking about why you have a form, or whether the form is needed or provides a point of contact. I'm just asking you to consider whether any form that allows anyone to submit anything is desirable or worthwhile from your own perspective ... that's all. You can ignore me if you wish (I won't be offended) but this is not my problem, is it?

[helpwithjoomla]

Thank you Ch3vr0n. I appreciate your feedback and you staying on topic.

No worries about the earlier posts. They helped me further clarify my own setup.

I do intend to reach out to the RSForm developers. I usually get good advice from other Joomla users on this forum so I thought I would start here first.

The reCAPTCHA is visible. Standard "click all images with a sidewalk." reCAPTCHA and the javascript check are working on 5 of our 6 forms.

The forms are used for lead generation for online marketing (like Google Ads).

I'm just really curious as to how to spammers are beating my checks.

Again, thanks for the assistance. We'll see if anyone else has feedback about my original question:

So, does anyone have any ideas as to how the spammers might be circumventing my 2 checks shown above?

[brian]

As your subscription to RSform pro includes support then the logical first place would be to create a ticket with rsjoomla. Note that their forum is not monitored and I really do mean a support ticket. Remember the thing you paid for is support.

[helpwithjoomla]

Yep, understood Brian.

I know it's best to open a ticket rather than post on their forum (learned that lesson long ago!).

As I said, I just thought I would start here. Lots of very smart people on this forum!