Support » Plugin: Honeypot for Contact Form 7 » Still getting spam (follow up)

  • Resolved jpnl

    (@jpnl)


    Hi,

    This is a follow up of the linked support topic. The original poster marked that ticket as resolved because he removed this plugin because he still got spam. That’s not an actual solution though, so here is a new ticket to follow up.

    I have used this shortcode to add the honeypot to the contact form.

    [honeypot wpcf7-999 id:email-cf7 class:email-cf7 move-inline-css:true nomessage:true]

    It worked for a week after which I started to receive spam again. I changed the settings, spam stopped again, question is for how long before the spammer learns how to get around it again.

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Ryan

    (@daobydesign)

    The only thing I can think to do would be to maybe change the name (wpcf7-999) to something with “email” in it as well. I think the field name attribute is at least as tasty to spam bots as the ID and classes are.

    I’d love to hunt down a repository of the types of spam bots that put out this type of spam and reverse engineer them to understand how they work/learn.

    Yeah I have done that after the code from my previous msg stopped working. I am waiting to see when the spam starts coming in again.

    I don’t know how to get such repository.

    I can think of two ways these bots work:

    1) They also know css, so they see that the field that’s added by your plugin has display:none and visibility:hidden.
    2) It works like a screen scraper or a test tool for web apps like selenium. They can emulate actual user input. Might need a real user for starters, but then it can do it’s work automatically.

    This might be an interesting read too. Says not to use display:none nor hidden and he has a different approach.

    https://dev.to/felipperegazio/how-to-create-a-simple-honeypot-to-protect-your-web-forms-from-spammers–25n8

    Plugin Author Ryan

    (@daobydesign)

    We don’t use hidden (can’t see why we would, as that’s not something a bot would typically fill in anyway), but the use for display:none is to make it a bit more compliant/useful for accessibility reasons. It may be worth considering changing the default CSS though to using absolute positioning and 0 height/opacity.

    You can actual test this out at anytime, as you can customize the CSS in anyway you see fit using simple WP filters. Here’s some sample recipes. The second filter is the one you’d want to change CSS.

    Thanks, will try when I start to receive spam again.

    Are you sure you don’t use hidden? This is the code I see in the page source:

    <span id="wpcf7-5d5665xxx2170" class="wpcf7-form-control-wrap hpemail-wrap" ><input id="hpemail" class="wpcf7-form-control wpcf7-text hpemail"  type="text" name="hpemail" value="" size="40" tabindex="-1" autocomplete="nope" /></span>
    
    <style id='wpcf7-wpcf7-5d5665xxx2170-inline-inline-css' type='text/css'>
    #wpcf7-5d5665xxx2170 {display:none !important; visibility:hidden !important;}
    </style>
    

    Thanks
    JP

    • This reply was modified 3 months, 1 week ago by jpnl.
    • This reply was modified 3 months, 1 week ago by jpnl.
    Plugin Author Ryan

    (@daobydesign)

    Visibility:hidden yes. My impression from the article was that he was talking about <input type="hidden">

    Plugin Author Ryan

    (@nocean)

    Marking this as resolved.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.