Possible SPAM Issues

We have a site running through Clouflfare and it seems to be getting a ton of illegitimate leads via the form submissions. Some are obviously SPAM, they are in all caps, etc. The form itself has a an anti-spam honeypot, CleanTalk and CAPTCHA. With all of that it seems, I assume bots, are still getting through. Some leads look legit, but when you call or email they information isn’t accurate. On top of all that regular leads seem to have declined, so I’m looking at all avenues here as causes. Any thoughts to things related to Cloudflare that could cause issues? I use to help mitigate or eliminate these types of issues, but is it possible it is contributing in some form?

You could try Bot Fight Mode, a firewall rule for the contact page with a Managed Challenge action, etc.

1 Like

I thought about this, but they have a form in the footer, so every page, plus some pages have one at the top and then of course the contact page has one.

We have a collector that runs in parallel with Cloudflare. It collects data. During submitting a form/redeeming a trial, we add all the data collected during the session and let a third party evaluate the customer. If it doesn’t meet a threshold, we discard the event completely.

It works well, we spend around $300 a month on that solution, and we haven’t had many issues. I won’t name the vendor we are using; however, some features you want to look for are email reputation, phone reputation, IP reputation, risk assessment, etc.

Also, what captcha are you using?

The reCAPTCHA I believe was Google. I took it off for now since it doesn’t really seem to be limiting anything.

Not a good idea; even if some attackers are going through recap, it’s still holding back a lot of attackers. Recaptcha is the best free captcha on the market right now; if you want to try a paid captcha, then geetest and funcaptcha are good.

Also, just to make sure, what mode of Recaptcha are you using? Are you using V3 too?

It was V2 reCaptcha, the Gravity Forms plugin doesn’t seem to allow for V3. I wasn’t really in favor of taking it off, but the client, in some odd thought process felt that maybe good leads were being filtered out. So SPAM isn’t being stopped at the rate it used to be, but maybe it is blocking real users…? Flawed logic for sure, but that was their thought process. Maybe a paid version would be good to try. Over an 11 day period they had 130 submissions, 65 they would consider garbage. No working phone number, email or obviously bogus text in the comment fields.

Actually the do have v3 available now on Gravity Forms, it just takes an additional plugin to sync it up.

V3 has a good set of improvements; I’d advise trying that before giving up on having captchas.

Adding friction can affect leads, especially if they aren’t as interested in the product. There is a trade-off between losing employees’ time (garbage submissions) and lost leads; the company should study and find the optimal balance between the two.

No doubt. Just odd that for years there have been virtually no issues and over the last couple of months it has soared to where they have what I consider a high percentage of them to be invalid.

Captchas are unfortunately losing their strength, the ones meant to stop bots are relatively expensive and not user-friendly. Recaptcha and HCaptcha can afford to be free mainly because the solved captchas can be used in computer vision.

You are most likely being targeted by a spammer that has a ML capable of solving ReCaptcha or uses a captcha solving service. In either case, solving costs money to the attacker, which adds some barrier for future attackers. A service with risk assessment/IP/Fingerprinting capabilities would be the best fit to stop these attacks.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.