Form spam & challenge skipping

Hello Community,

Since two weeks hour contact form on our website is being abused. When looking at the cloudflare log i don’t see anything, Then a set a firewall rule to log the form and it was from a single IP. So i blocked that, upped the firewall setting high, but fogith mode and challenge passage to 5 minutes etc etc.

So it didn’t stop now its a different IP. So i added a challenge to the form page and it seems they can can somehow pass that!

So i think they found a way around the Cloudflare challange…

Any suggestions or location i should report it?

With kind regards.
xhoy

Whats the URL of the contact form?

well there are several; but this is the most abuesed one: https://sijn.nl/corporate/contact/contactformulier
And i added the abuser IP to a “serparte” challenge list. But they seem to be able to complete the challange…

You currently only seem to have a JavaScript challenge. That can be bypassed, you could try to switch to a captcha challenge, which will be difficult to “simply” bypass.

Also, does your server IP address end in 30?

no. the server adress does not end with a .30 :slight_smile: .
I have blocked the IP in a seperate firewall rule.

14 Oct, 2019 17:06:12 Challenge Firewall rules 193.238.47.165 Netherlands
14 Oct, 2019 17:04:31 Challenge Firewall rules 193.238.47.165 Netherlands

Ow, and you use IPv6 and your ip ends with :2569 ??

Does it end in 100? Just checking how easily your address could be discovered.

Also, are you rewriting on your webserver the IP addresses from Cloudflare’s to the actual client address?

no it does not end with a 100, and they are going trough cloudflare, i check on my webserver in the logs only cloudflare ip’s there. and i see the spammers connect, they change ip once a day or something. i JS challanged the page friday and it was abused.

So today i setup a challenge for them to see, and the firewall doesn’t seem to block them.

I don not full understand what you mean with: are you rewriting on your webserver the IP addresses from Cloudflare’s to the actual client address? ??

Whether you are doing this. https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

But considering you were saying you only get Cloudflare addresses, that would suggest you are a) not rewriting address (you really should) and b) these requests really go through Cloudflare.

If that were the case, it would seem they run some JavaScript enabled crawler and manage to pass the challenge therefore. A captcha challenge should probably stop them, but will be a very rough solution.

Can you post a screenshot of the logs of these requests?

From the cloudflare side?the server side?

On Cloudflare’s side.

Do they all come with Chrome 67 as user agent? If they do, you could challenge/block based on that. That version is more than a year old.

ok, since i blocked chome 67 yesterday no spam has come in.

Then the question becomes why doesn’t cloudflare auto blockes them?

This topic was automatically closed after 30 days. New replies are no longer allowed.