By ckclarke on

Hi all,

In the last few days, I've suddenly started getting spam through my contact/feedback form on one of my Drupal sites. Only a few, and they appear to be only to me (the recipient named in the feedback form), but still, it's annoying and likely to get worse unless I can fix it.

I have:

Set the threshold for sending things via the feedback form to 2/hour.

Upgraded to 4.7.3

Banned one IP who'd sent the same message three times

What else can I do?

Categories: Drupal 4.7.x

Comments

rszrama’s picture

rszrama commented

How is your feedback form setup? Is this a form that uses the mailto action, or does it actually parse the input in PHP and use the mail function to get it to you? (So is the spam actually coming through the form or are they sending it directly to your email?)

ckclarke’s picture

ckclarke commented

This is the default contact/feedback form in Drupal, and the spam is coming through it, not directly to my email address.

ChrisKennedy’s picture

ChrisKennedy commented

You can use the Captcha module I believe.

cwalkabout’s picture

cwalkabout commented

Or you could hack your version of the contact module to block spam bots:

1. In function contact_mail_page(), add a hidden value to the form, such as:
$form['not_spam'] = array ('#type' => 'value', '#value' => '1');

2. In function contact_mail_page_submit(), check for that hidden value, and don't send any mail if it's not provided. Something like:
if ($edit['not_spam']) { /* do rest of function */ } else { return }

I think that should work, although I haven't tried it yet.

seanr’s picture

seanr
he/him
commented

That would set be set to 1 regardless of whether the form was submitted by a spam bot or a human, so that makes no sense.

Sean Robertson
webolutionary@webolutionary.com

Sean Robertson | @seanr1978 on twitter
seanr@webolutionary.com

jaypan’s picture

jaypan
Location Victoria, BC
commented

Seanr was correct, the value is set either as 1 regardless of what happens. Also, when you set a form element as type 'value', it isn't even sent to the browser, it is just cached on the server. You wanted type 'hidden'. But most spambots these days see around that trick anyways, as it's fairly old.

Contact me to contract me for D7 -> D10/11 migrations.

blueblade’s picture

blueblade commented

subscribe