How to filter out Spam emails?

I keep receiving these kind of junk emails from my website. (i already tried installing google recapture but it was causing issues) so if there is a way to disable fake emails?

If it’s an issue with bots filling out a form on your site, you can add a Firewall Rule for that URL with a JS challenge.

1 Like

Do you know how to do this?

Thank you for the reply. I went there but i could not find anything for JS challenge or spam email blocking.

Could I have help with guiding it?

thanks

Hi, Could I have a little more guidance on this please?

There are several way to combat this since I don’t know the URL/CMS I’ll make some general suggestions, you have to judge whether they are right for you.

There are several firewall settings that can help, note these are site wide: In Firewall -> Settings (the tab is on the right, don’t ask me why, I’ve missed it several times)

In addition you can create a firewall rule like @sdayman suggested. Here is an example for http://example.com/contact

Note you may want to whitelist known good bots such as the google crawler:

Make sure you order the rules correctly. Allow good bots should be on top of the challenge rule.

Here is more information on firewall rules: https://developers.cloudflare.com/firewall/cf-firewall-rules
You can modify the rule to only show the challenge based on the IP score: https://developers.cloudflare.com/firewall/recipes#challenge-bad-bots

For Wordpress sites I recommend and use https://wordpress.org/plugins/zero-spam/ or https://wordpress.org/plugins/hcaptcha-for-forms-and-more/

2 Likes

Nice writeup, publicarray.

If the OP wants both of those rules, they can be combined into one by just using the second rule. Set Known Bots to “Off” and then Challenge. So if it’s /contact, AND it’s NOT a Known Bot, it will Challenge.

2 Likes

Thanks👍

I thought it might be easier to explain this way. But actually I already took the screenshots when I realised it too… :joy: so I just when with it.

2 Likes

Thanks a lot!

So for example like this for my website?

That rule doesn’t match anything. It says if your path is example.com/unitedstudy.co.uk AND it’s a Known (Good Bot), to block it. You put your domain as a Path and are only going to block good bots.

This is mine. I challenge any visitors to my contact page. I don’t care of good bots are challenged at my contact page.

2 Likes

i see, thank you. could i clarify that this would work if i am trying to prevent them contacting me through the home page (there is a contact box at the bottom)

Sorry, but because your contact form is part of your home page, this would JS Challenge everybody. If it was a separate part of the site (its own page), then it would be easier. You’ll have to rely on the contact form itself to be more spam-proof.

Since it looks like a Wordpress site why not try the plugins I mentioned above? note that zero-spam relies on the real IP address (I haven’t used it behind Cloudflare yet, so it may not work correctly yet) the other option is to use cloudfare’s IP score but it may block/ challenge legitimate users too depending on the threshold you set: https://developers.cloudflare.com/firewall/cf-firewall-rules

If you were to notice that the requests to the endpoint are rather often and from similar IPs, you could consider Rate Limiting. Although that would not necessarily be the only/best approach if it is a distributed attack.

To build on that, another thing that may help slightly in the future (although it depends on how did they ended up with your email address in the first place) is to enable the following feature:

What this would do is to prevent some bots from scrapping the email address that are visible in your site. But would not do much if they are autofilling a web form for instance.

4 Likes