AntiSpam for Contact Form 7

Screenshots

The antispam you’re using isn’t working well, is it? Maybe because it’s not using the correct method*** to stop the type of bot that’s attacking you, but I think I have a solution! Antispam for Contact Form 7 is a free plugin for Contact Form 7 that blocks bots from flooding your mailbox, without tedious configuration and without captcha (which usually causes loss of conversions and sometimes are blocking for real users). To do this we use different in and off page bots traps and an auto-learning mechanism based on a statistical “Bayesian” spam filter called B8. CF7-AntiSpam works well and adds some functionalities to Flamingo. If both are installed Flamingo will get some additional controls and an additional dashboard widget will be enabled. SETUP Basic – install & go! No Configuration / keys / registrations required to get the antispam protection. In this case only some protections may be enabled like fingerprinting, language checks and honeypots. Advanced – CF7A needs to parse the input message field of your form to analyze properly the email content with its dictionary. So you need to add a “marker” to “notify” the antispam to check this field (you need to do this for each contact form of your website) so you need to add ‘flamingo_message: “[your-message]”‘ for each additional settings panel of each contact form you need to secure. The method is the same as you use with Flamingo. I know, this is boring but is required for advanced text statistical analysis, without this B8 filter will couldn’t be enabled. GeoIP – (optional) Enable this functionality if you need to restrict which countries (or languages) can email you and which cannot. In order to enable GeoIp you need to agree GeoLite2 End User License Agreement and sign up GeoLite2 Downloadable Databases, in this way you will obtain the key requested to download the database. To find out more, read the information in the dedicated section of the cf7-antispam plugin settings and follow the steps. Antispam Available Tests ✅ Browser Fingerprinting ✅ Language checks (Geo-ip, http headers and browser – cross-checked) ✅ Honeypot ⚠️Honeyform* ✅ DNS Blacklists ✅ Blacklists (with automatic ban after N failed attempts, user defined ip exclusion list) ✅ Hidden fields with encrypted unique hash ✅ Time elapsed (with min/max values) ✅ Prohibited words in message/email and user agent ✅ B8 statistical “Bayesian” spam filter ✅ Identity protection Extends Flamingo and turns it into a spam manager! In this way you will be able to review emails and “teach” to B8 what is spam and what is not (might be useful in the first times if some mail spam pass through). And if you already use Flamingo? Even better! But remember, to add ‘flamingo_message: “[your-message]”‘ to advanced settings (as you do for the other flamingo labels) before activation (or checkuot advanced options “rebuild dictionary”). While activating CF7A all previous collected mail will be parsed and B8 will learn and build its vocabulary. In this way you will start with a pre-trained algorithm. Super cool! Notes: – On the right side of Flamingo inbound page I’ve added a new column that show the mail spamminess level – if you unban an email in the flamingo “inbound” page the related ip will be removed from blacklist. But if you mark as spam the mail the ip will be not blacklisted again. – Before activate this plugin please be sure to mark all spam mail as spam in flamingo inbound, in this way the B8 algorithm will be auto-trained – Don’t delete a spam message from ham if you receive it, rather put it in spam to teach B8 how to recognise the difference! B8 statistical “Bayesian” Filter Originally created by Gary Robinson b8 is a statistical “Bayesian” spam filter implemented in PHP. The filter tells you whether a text is spam or not, using statistical text analysis. What it does is: you give b8 a text and it returns a value between 0 and 1, saying it’s ham when it’s near 0 and saying it’s spam when it’s near 1. See How does it work? for details about this. To be able to distinguish spam and ham (non-spam), b8 first has to learn some spam and some ham texts. If it makes mistakes when classifying unknown texts or the result is not distinct enough, b8 can be told what the text actually is, getting better with each learned text. This takes place on your own server without relying on third-party services. More info: nasauber.de Identity protection To fully protect the forms, it may be necessary to enable a couple of additional controls, because bots use the public data of the website to spam on it. – The first is user related and denies those who are not logged in the possibility of asking (sensitive) information about the user via wp-api and the protection for the xmlrpc exploit wordpress. – The second one is the WordPress protection that will obfuscate sensitive WordPress and server data, adding some headers in order to enhance security against xss and so on. Will be hidden the WordPress and WooCommerce version (wp_generator, woo_version), pingback (X-Pingback), server (nginx|apache|…) and php version (X-Powered-By), enabled xss protection headers (X-XSS-Protection), removes rest api link from header (but it will only continue to work if the link is not made public). Privacy Notices AntiSpam for Contact Form 7 only process the ip but doesn’t store any personal data, but anyway it creates a dictionary of spam and ham words in the wordpress database. This database may contain words that are in the e-mail message, so can contain also personal data. This data can be “degenerated” that means the words that were in the e-mail might have been changed. The purpose of this word collecting is to build a dictionary used for the spam detection. Support Community support: via the support forums on wordpress.org Bug reporting (preferred): file an issue on GitHub Contribute We love your input! We want to make contributing to this project as easy and transparent as possible, whether it’s: Reporting a bug Testing the plugin with different user agent and report fingerprinting failures Discussing the current state, features, improvements Submitting a fix or a new feature We use GitHub to host code, to track issues and feature requests, as well as accept pull requests. By contributing, you agree that your contributions will be licensed under its GPLv2 License. My goal is to create an antispam that protects cf7 definitively without relying on external services. And free for everyone. if you want to help me, GitHub is the right place 😉 copyright AntiSpam for Contact Form 7, Copyright 2021 Codekraft Studio AntiSpam for Contact Form 7 is distributed under the terms of the GNU GPL This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the LICENSE file for more details. Resources Contact Form 7 and Flamingo © 2021 Takayuki Miyoshi,LGPLv3 or later B8 https://nasauber.de/opensource/b8/, © 2021 Tobias Leupold, LGPLv3 or later GeoLite2 license GeoIP2 PHP API GeoIP2-php chart.js https://www.chartjs.org/, © 2021 Chart.js contributors, MIT Sudden Shower in the Summer, Public domain, Wikimedia Commons https://commons.wikimedia.org/wiki/File:Sudden_Shower_in_the_Summer_(5759500422).jpg Contibutions Mirek Długosz – #30 fixes a crash that occurred when analysing flamingo metadata Special thanks This project is tested with BrowserStack. Browserstack MaxMind GeoIP2 This plugin on demand can enable GeoLite2 created by MaxMind, available from https://www.maxmind.com While enabled you may have to mention it in the privacy policy of your site, depending on the law regulating privacy in your state! * GeoIP2 databases GeoLite2 Country DNSBL servers privacy policies dnsbl-1.uceprotect.net www.uceprotect.net license dnsbl-2.uceprotect.net www.uceprotect.net license dnsbl-3.uceprotect.net www.uceprotect.net license dnsbl.sorbs.net sorbs.net license zen.spamhaus.org spamhaus.org license bl.spamcop.net spamcop.net license b.barracudacentral.org barracudacentral.org privacy-policy dnsbl.dronebl.org dronebl.org all.spamrats.com spamrats.com tos bl.ipv6.spameatingmonkey.net spameatingmonkey.net Inspirations, links Nikolai Tschacher incolumitas.com Antoine Vastel fp-scanner/fp-collect Niespodd niespodd Thomas Breuss tbreuss Domain Name System-based blackhole list wiki dnsbl list wiki