Reduce spam sent via Magento contact form without Captchas

What are Captchas?

I think everybody has heard of Captchas already in some context, so let's quickly review the explanation from Wikipedia:

A CAPTCHA (/ˈkæp.tʃə/ KAP-chə) is a type of challenge–response test used in computing to determine whether the user is human in order to deter bot attacks and spam.

CAPTCHAs' purpose is to prevent spam on websites, such as promotion spam, registration spam, and data scraping, and bots are less likely to abuse websites with spamming if those websites use CAPTCHA. Many websites use CAPTCHA effectively to prevent bot raiding. CAPTCHAs are designed so that humans can complete them, while most robots cannot. Newer CAPTCHAs look at the user's behaviour on the internet, to prove that they are a human. A normal CAPTCHA test only appears if the user acts like a bot, such as when they request webpages, or click links too fast.

By the way, I personally don’t like Captchas because most of the time these can be tricky to submit ("Select all motorbikes in the images") and nearly all of them require external non-GDPR conformant services (Hello Google ). Other similar mechanism like some sort of quiz ("How much is 2+2?") are too simple to keep away serious attackers and on the other side very poor usability and in my opinion should not be necessary at all in 2023.

Basically a Captcha is effective, but why punish your users because you have a problem with spam? It's your problem not theirs, so let's try to address it.

Add form key validation to Magento contact form

I don't know why but per default Magento and also OpenMage do not use the form_key validation on the contact form page. This is an easy change that prevents bots from re-submitting the same content multiple times e.g. using simple methods like curl.

Enabling form key validation on the contact form page is as simple as follows:

1. First you have to overwrite the following action in the default contact form controller Mage_Contacts_IndexController::post() and add a check for ! $this->_validateFormKey() at the very top
2. Next within the contact form template just insert

   <?php echo $this->getBlockHtml('formkey') ?>

   and you're contact form is secured now.

What other measures can you implement in Magento?

On the other hand there are also some simple Magento code modifications that can easily be made in a couple of hours by an experienced Magento developer to reduce spam without using Captchas.
These are some ideas for the Magento contact form, but this can also be adapted to the other forms mentioned above:

• Add validate-alpha class to the "name" field as well as Zend_Validate(.., ‘Alpha’) in the contacts controller
• Add some trivial checks like firstname equals lastname that are spam in 99.99% of all requests
• Use an extension like Magento Honeypot to add a hidden field (Magento does this already but it can be easily detected as "honeypot" for bots)
• Make the Honeypot field look like a regular field e.g. with type="url" name="url" and don't use obvious names or hidden styles for the field like name="honeypot" type="hidden" style="display: none"
• Track the time between rendering the page and submitting the form and add some threshold checks to prevent instant posting (forms submitted in under 3 seconds of the page loading are typically spam)
• Prevent any IP from posting more than once a second.
• Block certain IP addresses/user agents known as generating bot requests (see also section below)
• Implement a black list of words that are typically used in spam messages

This is how a possible honeypot HTML markup might look like:

<input class="mhhs-input d-none" type="url" 
       name="<?php echo $this->quoteEscape($this->getHoneypotName()) ?>"
       autocomplete="off" tabindex="-1" />

Some interesting ideas are also described in this blog post on how to make the honeypot field more effective.

What can you do on webserver level?

An additional possibility is the blocking of spam bots on webserver level. Therefore I recommend using the tool fail2ban that simply works by analyzing certain log files and extracting malicious IP addresses that are then blocked on firewall level.

To use fail2ban with Magento you can for example activate Apache webserver rules (if you use Apache as your webserver but similar for other webservers like nginx or Litespeed). The tool then analyzes either Apache access or modsecurity log files and determines which IP addresses should be blocked. You can also extend the fail2ban rules to analyze the Honeyspam extension logs and extract IP addresses out of it to block.

Summary

Of course generally its a game of cat and mouse because spam bots learn with each form and get better and better. That’s why – depending on your amount of spam – using professional services may make sense to reduce spam without Captcha.

But on the other side if you make it more complicated for them, they perhaps will try to find another target..