Turnstile is always blocking me, but, well I own the site I added it to?

I’ve addedd Turnstile to two websites during the last week to combat an exploding amount of spam in our “contact us” forms.

But it seems like it is waaaay too aggressive. It keeps blocking me from using the form. It should probably have an aggressiveness setting, or some other way to get around this.

I don’t think I can use it as it works right now. :confused:

Some considerations:

  1. Maybe you’re the one who’s been spamming your forms. Probably not, but you’ve probably done something to makes your visits seem suspicious.
  2. Maybe this doesn’t affect others, and it’s working as expected.

I’m sure the spammers would love to get an answer for this, as they’re probably miffed it’s so difficult to spam your forms because of Turnstile.

That will fix at least one of your problems. :wink:

Maybe by testing it on localhost a few times. However, I doubt it. Though this isn’t that helpful since I cannot see in the log that this was blocked, and able to unblock again from my own site.

Having an aggressiveness-setting would fix it. Since I’d make the setting really mild. To just not have the Russian spammers, and the Viagra-sending idiots.

From reading this forum it seems that it isn’t that uncommon. I’m afraid it’ll block a lot of legitimate users.

Of course I’m not asking for what you are insinuating.

I was asking for a way to make Turnsile less aggressive or have some options to tune it specifically for our site. Like, if the message is written in Norwegian or from a Norwegian IP, that should be a big boost for these particular site (and only these, manually config’d so), English okay, any other language is likely spam.

Turnstile might want to go with a pure no-config approach, which makes sense, if it would work. And maybe it will, but

Well, me sending isn’t really a problem. But it’s a smoke test to see if it works, and that clearly fails.
The russian spam problem has gotten real big. They’re posting 10-50 messages daily, which is nothing for big sites, but a lot when it goes into a small organizations’ mail box. I like Cloudflare’s no-cookie method. It seemed like a really good solution. But it might not be ready for prime time.

It could be due to me using a non-standard browser like Vivaldi. Or running an ad-blocker. Or any other weird signal which shouldn’t mean you’re a spammer. Anything I can think of, except myself testing it on localhost, is something which would block real users.

Quite funny, the above message was temporarily blocked by Akismet --^ :joy:

But that had a manual exit-situation. It was possible to fix it :slight_smile:

This is definitely worth continuing the conversation. Docs say that Turnstile works the same way Managed Challenge does. And about Managed Challenge:

Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request.

Not very descriptive. Then again, it goes back to my other comment:

The instructions imply there are three levels of interaction. Have you tried all three to see if they all block you?

I figured it out, and it’s quite embarrassing. But first, that is a good suggestion.

I did try them both, only each “extreme” on different sites though. One fully hidden, one with optional interaction.

It was only one site that was always failing me. The other one which I did first and used the hidden option I think only failed once.

So for the second site, I actually managed to use the secret key of the other site. So it was wrong. The logs were unavailable on that site (using fastcgiwrapper, and for some reason → no logs), which is how I’d be able to do such an elementary and absolutely embarrassing mistake.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.