Email forms and spam

Please enlighten me… The only way here to add Recaptcha to an email form is to pay for a 3rd party Bric that in its description says that it may or may not work. (Is that ethical to take money for that?). Anyway, that’s beside the point

I would like to know if there is an alternative and everyone is using.

Also, since there is nothing built-in in Blocs I would like to encourage the developer to offer a solution. All the talks about coming features are wonderful, and Blocs seems to be a great tool. But without spam protection on a contact form my journey with Blocs would end right here and now.

Hello @Visionquest,

I use a different approach please check here for my solution:


Hope it helps you…

The blocs form script is as secure as most people can hope for. There is total email address obfusication so no one is going to harvest your email address from your website and add it to a spam list.

What you have to understand is the objective of spammers. What they are looking for are website forms that return an automated response - preferably a response that includes the original message content of the form. If they come across one of these, they will be in “spammer’s heaven”. What they will do is use your form to create a spam message (including links and all sort of other garbage) and use other people’s email addresses when submitting the form. This will result in your server responding to some innocent recipient who will get the spammers message.

Unfortunately, Captchas and Re-captchas will not be effective at stopping this sort of abuse of website forms - the spammers will simply employ someone to fill out the forms from an internet cafe or a free wifi hotspot. Those people will be perfectly adept at clicking the box that says “I’m Not a Robot”.

So, as long as your forms do not auto respond, the only person that may be inconvenienced by the occasional spam message (the test messages) will be you. If they don’t get a useful response back, they will most likely go away and look for richer pickings elsewhere. No spammer is going to waste his or her time simply sending you multiple spam messages - it doesn’t achieve anything.

If you do get a large amount of spam through your form, its better to set up an alias email address on your server and have your forms direct to that. When the level of spam becomes too great for you, delete the alias and set up a new one.

If you want a real belt and braces approach, you can use a third party script such as Tectite Formmail. This has a whole host of anti-spam options built into the script that you can activate on demand. But even these types of scripts are becoming unnecessary these days, as most mail servers have a high degree of protection against spam - many also allow you to configure even more options if you need them. My advice is try the script first and check the level of spam you receive. If it’s intolerable, then look for other solutions. I’ve not heard of any Blocs user who have had their form script become a spam gateway. I’m sure if this was a common problem, we would have heard about by now.

1 Like

Thats pretty cool @Pealco, I haven’t come across that one before.

By the way you have duplicate copies of slidecaptcha.js attached on that page.

Was this the project? (hope it doesn’t call home :crazy_face: )

Thank you @Malachiman I was inspired by WeChat and a lot of Chinese qt domains they use this a lot…

Interesting solution. I had not seen this before.
Since it is not a Bric, how do you implement it in Blocs?

Thanks for your your input.

Spammers hunting for auto responders is one thing, I am mostly concerned about bots filling out the form with nonsense and flooding the email account.

In my experience, when ever I built a web site without Google Recaptcha my or the client’s email address gets flooded. When the Recaptcha is in place, it is quiet.
Therefore I am looking for a solution and I do think that this needs to be part of Blocs as a standard feature.

You can see from the link above from @Pealco, he has it so you must complete the challenge before you can fill in the form, it would be possible to incorporate it into the Blocs form as well.

Yes, I saw the example, but I am wondering about how you implement it in Blocs in your own form - Where to put all these code snippets and how to link it together.

To be fair, it would be worth approaching @Pealco to freelance a solution for you.

Yes, though it defies having bought into a platform that promises quick and easy web site creation. If I have to outsource an important portion to a freelancer then I feel I have gotten a car without wheels.

Anyway, right now I am just looking for some simple solution. Even an email link with obfuscation or something that would work. I found some web sites that obfuscate emails but when I add the code snippet, no classes can be applied, no formatting, no colors will be applied when assigning the corresponding class to the code snippet bric.

I would be very grateful if I would get just something here that works.

1 Like

Hello @Visionquest understand your point of view about the car without wheels, but your car with wheels don’t go anywhere without fuel… and you have to pay for the fuel… :wink:

Even to help the users, we have a lot of work, we have to create a new project, try before send any code or input. If you check my blocs snippet website you will see a lot of work there. Every entry in the website was to help a user, and it was free but now I’m not doing it any more, sorry.

From the free help we gave, same people then charge customers. And in this way we work for free to others earn money. And I think it’s not fair.

Hope you understand…

I would tend to have a little more sympathy with your comment about “buying into a platform that promises easy website creation” if indeed Blocs failed to do precisely this. The absence of captcha or re-captcha has very little to do with the ease by which a website can be created. It’s an option that some people obsess about, whilst other can happily live without. The fact is you will find it very difficult to find threads on this, or other forums that demonstrate webforms in blocs are major contributor to spam email.

The primary culprits when it comes to spam emails are not website forms as such. According to 2019 data from SecureList, the problem of spam has more to do with compromised scripts (notionally those associated with open source CMS systems such as Joomla and Wordpress), social networks and a range of google services which have to be constantly updated to try and defeat the problem. Add to this the numerous exploits that can be injected into, predominantly, Windows computers through Microsoft application hacks, and you begin to understand where the real spam problems arise.

Even Google captcha and re-captcha have been circumvented in order to gain access to form processing scripts without even having to visit the originating website where the captcha is displayed. The thing is, the more widely used a spam defeat system is, the greater the determination of professional spammers to circumvent the anti-spam measures. Clearly, it’s simpler for a spammer to compromise a system that literally millions of websites around the world use, because once its hacked, it can be replicated to compromise many systems.

My advice remains the same, build a blocs form, publish it and count the spam emails that come in. You can easily differentiate between those that have been submitted from your website because they will contain all the form fields. If you get inundated with spam emails that do not contain your form fields, it may well be that someone has compromised the script on your server to extract the email address. Certainly, it’s highly unlikely that a professional spammer in China is going to go to the trouble of spamming a single recipient email address - the address may well end up on a spammers hit list if the email address has been used indiscriminately elsewhere, but the chances of it being used in a major spanning operation is highly unlikely.

Of course, there would be nothing to stop a professional spammer from downloading blocs and picking it apart to see how the script works and where it is located on a server when published. It’s then a question of looking for loopholes and backdoors that can be exploited to bypass your website and simply target the scripts directly to send emails to other people. But why would they do this. Unlike the many CMS systems out there, finding blocs sites to target would be little more difficult and probably wouldn’t be worth anyone’s time trying to exploit.

It should also be remembered that by far the biggest problem today is where companies maintain a database of customers which gets replenished through sign-up forms. These are the primary target for most spammers as they gain access to millions of customer email addresses, This is why social networks and major corporations are targeted so frequently. The idea is get the user lists and then spam them en-mass with phoney offers or emails that purport to come from banks. Believe me, none of these spammers have the slightest interest in targeting a single recipient email address on some obscure website. You may well find a troublesome individual who will fill up the form on line just for the fun of it, but it isn’t compromising your system and the resultant email can be simply trashed.

1 Like

On a grander scale you might be right with your theories and statistics. I don’t argue with that.
Specifically, though, I have had and still have web sites that, if I don’t put a ReCaptcha on the form I get tons of emails of the same character, form fields filled out by a bot. Once the ReCaptcha is in place, it stops.

Therefore I am seeking an option, even if it is just a honeypot solution. And I do insist, that this needs to be built into the Blocs core application to make this attractive and to ensure a quick and effective workflow.

Also last but not least, if you have a client and they ask for an active spam protection, you put one in, whether you believe in it or not. And again, this needs to be available in the development platform of your choice.

I have no issues with people offering paid services. And I did not know that you do in the context of Blocs related customizations.
What I did point out that I would expect the core application to offer some kind of solutions for spam protection and that I am indeed disappointed about that. I got Blocs before the ReCaptcha Bric was abandoned and only now I am getting around to work with Blocs.

Which you should be able to do if you are offering these types of services professionally.

It’s interesting actually. Even the swipe the puzzle captcha is easily circumvented if you really wanted to.

I’m not sure what the issue is with the Recaptcha bric, but it appears it’s Google’s own code that’s hit or miss for some reason.

Yes I understand, lets wait for what Blocs V4 brings, probably it could be something that @Norm includes in the new version. I don’t know…

1 Like

I don’t offer services in web development, I am making a general statement.

So was my comment.

The solutions are out there, i’ts just a question of choosing one that suits your purpose. On some of the websites I create, it’s essential to have some sort of verification to ensure that the form has been completed by a real person (whether it’s an amateur spammer sitting in his bedroom or a bot that is seeking to compromise a form script). All of the e-commerce sites I create always include a verification system of some sort. So do some of my membership sites. HERE is an example of a site that uses a simple verification code before someone can send the form (bottom of the page). This is required because the the form script saves the data to a database AND responds automatically to the sender. This was done by simply adding a third party script through which the form can be created. It’s then embedded into the web page using a small piece of embed code. Whenever the form is changed in the admin area of the site, the changes automatically show up in the web page. This is a specific example of choosing a solution that achieves a client objective - in this case, compliance with the law rather than a spam defeat method, but it does achieve that objective also.

Basically, any form solution, whether hosted elsewhere or hosted on your own domain can be configured to use a verification code if it’s something the client needs. You just have to find one that works for you and go with it.