Akismet nor honeypot flagging obvious porn spam to nursery school contact form

PLEASE help us help you by writing a good post!

youthful-wright-243706.netlify.app`

So recently I have noticed some porn spam sneaking through the nursery school contact form and arriving with the school secretary (NOT IDEAL!!)

II have the netlify honeypot functionality in place and of course I assume akismet filter is applied first even before honeypot protection, so my question is could there be an issue with akismet on your platform. (I’m guessing some clever spambots could have figured out a way around the honeypot protection, but this stuff is clearly and obviously porn so i would have thought akismet would get it straight away. It has (my forms) all worked really well up until a few months back. Just wondering if there is any help you can offer to make sure the porn isn’t sent to the school office!
Best
Dave

P.S The form in question is just the general contact form on contact page. I have 2 other active forms one on FAQs page and one on Testimonials page, they are currently receiving no spam! (touch wood)

@DaveHarrison Isn’t Akismet only for WordPress installations?

1 Like

Maybe? It was my understanding that netlify used it for their form functionality infrastructure, I may have got that wrong though

@DaveHarrison That does appear to be the case. Nevermind.

1 Like

Hey @DaveHarrison :wave:t2:

Blah. I’m sorry to hear about that :confused: the web sort of sucks sometimes. Hopefully we can fix this up and prevent this from continuing. And, as another aside, what cute kids!! :heart_eyes:

Okay, back to the issue at hand. First, would you mind just double-checking that your HoneyPot fields are named / labeled absolutely correct to your form declarations in the pre-processed HTML? I don’t have access to your site’s settings / config nor your source code, but it’s the first place I’d check too. The forms on your FAQ-page and Testimonials-page’s bot fields are name="bot-field", but the general contact form is name="bbot-field". Perhaps a typo causing the lack of filtering? That could actually be the thorn killing you here — even though the bots are filling out the field, the submission headed to Netlify doesn’t have content for the right field name so it assumes the bot didn’t fill out the honeypot field and passes it through :grimacing:

Let’s try that for step one. I have more thoughts if that doesn’t work.


Jon

2 Likes

Hi @jonsully
thanks for jumping in on this one
I have gone through my source code. There was indeed a typo BUT it was not the one you thought
So I had 3 forms and for each form I altered the name of the honeybot field, bot-field, bbot-field & cbot-field. The cbot-field (that i use in FAQ page did not correspond to the hidden input which still said bot-field so i changed that.
However i an getting no submissions from that form or the testimonial one , nor do we really expect that many. But at lewast now the honeypot feature should protect us on that form
The main contact form that has the porn issue is getting both verified and spam submission which suggest to me perhaps the honeypot field on it is working OK. It is the nature of the spam submissions that concerns me as i would have expected askimet to have already filtered out the obvious porn leaving the honeybot to handle the more benign marketing bot spam etc
Dave

Dang. Okay, thanks for checking that out. As a next step, I might recommend not having your honeypot field be (albeit via inheritance / from a parent element) display: none; - a lot of bots and crawlers are hip to this simple ‘hide’ effect and will skip the honeypot if they detect it not being displayed. This is one of the important decisions I made when I wrote

It generates a honeypot field for folks automatically but it does not make it display: none;, instead hiding it way off on the top left in a (pretty much) invisible way. Feel free to check out the demo and inspect the code to see what I mean: https://react-ssg-netlify-forms.demo.jon.fm

So I’d say give that a shot :+1:t2: Hoping we can fix this up for good. I know this doesn’t address the apparent lack of appropriate functionality from Akismet but at the end of the day we just want to defeat the spam :confused:

On another note, have you considered going the reCaptcha route?


Jon

1 Like

Jon

I’ll have a look at 'hiding the honeypot input some way other than display:none
I am more curious what is going on with Akismet though how can this stuff be getting through??? (could it be related to the fact my form is AJAX

Can’t do reCaptcha its a huge usability issue in an environment when parents are already hard to convince to use the website and school app etc to make contact. The form is working really well to collect lots of genuine parental enquiries. As a bit of a UX guy I’m not in favour of ReCaptcha to address this issue (this is one of the reasons i went with the netlify approach to forms with their honeypot (non obtrusive to genuine user) and Akismet ( my real frustration is it all worked really well for nearly a year and then one day Boom!! all the porn started getting through) - More just landed n the inbox. I am dreading the conversation with the school secretary ;(

Is there a way for Netlify to check and confirm that akismet filter is active on all form submissions.
Its all just too weird, sometimes the honeypot and/or akismet works and then a few minutes later a porn email (that is sooo obvious there is NO way akismet could miss it)
Is it possible the API goes offline?? or is there a limit on number of these spam emails will be checked by akismet API on a free netlify account?

hi @DaveHarrison , there is no way to switch off Akismet - its set up and active by default.

the only thing i can think of to check is whether you can rule out that there are more than form with the same name? That can sometimes happen when you copy/paste, and it can cause strange behaviours.

1 Like

@perry
I figured Akismet was a kinda blanket thing (which is good and what I want) but is it possible for any reason it would not work on every single POST of a form. Is there a way to check (in a log for example) if Akismet ran against a particular form submission (like a spammy porn one)

Either Akismet and/or honeypot work on nearly all spam submissions from the form in question ( I get maybe 10 spam a day) but occasionally a really obvious porn one gets through. My thinking is that advanced spam bots or even humans posting rather than bots could beat the honeypot layer of defence but how on earth can a really obvious porn spam submission slip through Akismet??

Oh and btw all forms are named different, but appreciate the suggestion

Could the fact that forms are submitted using AJAX result in akismet not being run on them? I don’t see how this would be the case

Do spam submissions that are captured by Akismet still make it to the spam submissions list or do they not even appear in the dashboard?

While you wait, I think you can also drop a question directly to Akismet here: Contact - We’re here to help. Maybe it’s something wrong with their systems that as you say, is not able to detect something obvious while it’s working to stop a lot of other spam.

1 Like

UPDATE: For anyone following this thread
I have reached out to akismet support and they have looked into this issue
They said that when I select a spam that has slipped through into my verified submissions and change its status to spam submission the API should then use AI/Machine learning to regonise similar submissions in the future and flag it correctly as spam
So in my case if the message is full of words like sex, teens, porn etc and has a certain pattern elsewhere in the submission it should quickly be picked up in future
however the support expert said he suspected the netlify implementation may not be working as intended and he would be making direct contact with netlify team to investigate this.
The ETA was around one week
Watch this space

3 Likes

That’s a great and much needed update. Let’s hope the problem gets fixed. Thanks for sharing.

1 Like

fantastic. I am so happy to hear it looks like this will work out OK!

@perry will you be able to follow up to confirm if netlify and akismet have the conversation required and get the issue resolved?

Dave, we are making note of this to try and improve things for the future - its definitely on our radar :+1:

1 Like