AntiSpam for Contact Form 7

plugin banner

A trustworthy antispam plugin for Contact Form 7. Simple but effective.

Author:Codekraft (profile at wordpress.org)
WordPress version required:5.4
WordPress version tested:6.4.3
Plugin version:0.6.2
Added to WordPress repository:24-05-2021
Last updated:31-01-2024
Rating, %:88
Rated by:7
Plugin URI:
Total downloads:24 574
Active installs:5 000+
plugin download
Click to start download

Are you unsatisfied with your current antispam solution for Contact Form 7? It might be using an ineffective method to combat the specific type of bot attacks you’re facing. Fortunately, I have a solution for you!
Antispam for Contact Form 7 is a simple yet highly effective plugin that protects your mailbox from bot flooding. Say goodbye to tedious configurations and captchas, which often lead to reduced conversions and inconvenience for genuine users. Our plugin utilizes a combination of on-page and off-page bot traps, along with an auto-learning mechanism powered by a statistical “Bayesian” spam filter called B8.
CF7-AntiSpam seamlessly integrates with Flamingo and enhances its functionality. When both plugins are installed, Flamingo gains additional controls, and an extra dashboard widget is enabled.

SETUP

Basic – Install and go! No configuration, keys, or registrations are required to activate the antispam protection. In this case, some protections, such as fingerprinting, language checks, and honeypots, will be enabled.
Advanced – For CF7A to properly analyze the email content using its dictionary, it needs to parse the input message field of your form. To notify the antispam to check this field, you’ll need to add a “marker” to each contact form on your website. Simply add ‘flamingo_message: “[your-message]”‘ in the additional settings panel of each contact form you want to secure. This process follows the same method used with Flamingo. While this step may seem tedious, it is required for advanced text statistical analysis. Without it, the B8 filter cannot be enabled.
GeoIP – (Optional) If you need to restrict which countries or languages can email you, you can enable this functionality. To enable GeoIP, you’ll need to agree to the GeoLite2 End User License Agreement and sign up for GeoLite2 Downloadable Databases. This will provide you with the required key to download the database. For detailed instructions, please refer to the dedicated section in the cf7-antispam plugin settings.

Antispam Available Tests

✅ Browser Fingerprinting
✅ Language checks (Geo-ip, http headers and browser)
✅ Honeypot
️⃣ Honeyform
✅ DNS Blacklists
✅ Blacklists (with automatic ban after N failed attempts, user defined ip exclusion list)
✅ Hidden fields with encrypted unique hash
✅ Time elapsed (with min/max values)
✅ Prohibited words in message/email and user agent
✅ B8 statistical “Bayesian” spam filter
✅ Identity protection
???? Webmail protection

Extends Flamingo and turns it into a spam manager!

With this plugin, you can now review emails and train B8 to identify spam and legitimate messages. This feature proves useful, especially during the initial stages when some spam emails may slip through.
Already using Flamingo? Even better! Just remember to add ‘flamingo_message: “[your-message]”‘ to the advanced settings (similar to other Flamingo labels) before activating the plugin. Alternatively, you can explore the advanced options and select “rebuild dictionary.”
Upon activating CF7A, all previously collected emails will be parsed, and B8 will learn and develop its vocabulary. This pre-trained algorithm gives you a head start. How cool is that?
Additional Notes:
– A new column has been added to the right side of the Flamingo inbound page, displaying the level of spaminess for each email.
– If you unban an email on the Flamingo “inbound” page, the corresponding IP will be removed from the blacklist. However, marking an email as spam will not blacklist the IP again.
– Before activating this plugin, please make sure to mark all spam emails as spam in the Flamingo inbound section. This auto-training process will help the B8 algorithm.
– If you receive a spam message, please avoid deleting it from the “ham” section. Instead, place it in the spam section to teach B8 how to differentiate between spam and legitimate messages.

B8 statistical “Bayesian” Filter

Originally created by Gary Robinson b8 is a statistical “Bayesian” spam filter implemented in PHP.
The filter tells you whether a text is spam or not, using statistical text analysis. What it does is: you give b8 a text and it returns a value between 0 and 1, saying it’s ham when it’s near 0 and saying it’s spam when it’s near 1. See How does it work? for details about this.
To be able to distinguish spam and ham (non-spam), b8 first has to learn some spam and some ham texts. If it makes mistakes when classifying unknown texts or the result is not distinct enough, b8 can be told what the text actually is, getting better with each learned text.
This takes place on your own server without relying on third-party services.
More info: nasauber.de

Identity protection

To fully protect the forms, it may be necessary to enable a couple of additional controls, because bots use the public data of the website to spam on it.
– The first is user related and denies those who are not logged in the possibility of asking (sensitive) information about the user via wp-api and the protection for the xmlrpc exploit wordpress.
– The second one is the WordPress protection that will obfuscate sensitive WordPress and server data, adding some headers in order to enhance security against xss and so on.
Will be hidden the WordPress and WooCommerce version (wp_generator, woo_version), pingback (X-Pingback), server (nginx|apache|…) and php version (X-Powered-By), enabled xss protection headers (X-XSS-Protection), removes rest api link from header (but it will only continue to work if the link is not made public).

Mailbox Protection (Multiple Send)

Enhance email security by enabling the “Multiple Send” feature, which prevents consecutive email submissions to the user’s mailbox. This measure is effective in thwarting automated spam attempts and ensures a secure communication environment.

Privacy Notices

AntiSpam for Contact Form 7 only process the ip but doesn’t store any personal data, but anyway it creates a dictionary of spam and ham words in the wordpress database.
This database may contain words that are in the e-mail message, so can contain also personal data. This data can be “degenerated” that means the words that were in the e-mail might have been changed.
The purpose of this word collecting is to build a dictionary used for the spam detection.

Support

Community support: via the support forums on wordpress.org
Bug reporting (preferred): file an issue on GitHub

Contribute

We love your input! We want to make contributing to this project as easy and transparent as possible, whether it’s:

  • Reporting a bug
  • Testing the plugin with different user agent and report fingerprinting failures
  • Discussing the current state, features, improvements
  • Submitting a fix or a new feature

We use GitHub to host code, to track issues and feature requests, as well as accept pull requests.
By contributing, you agree that your contributions will be licensed under its GPLv2 License.

My goal is to create an antispam that protects cf7 definitively without relying on external services. And free for everyone.
if you want to help me, GitHub is the right place ????

copyright

AntiSpam for Contact Form 7, Copyright 2021 Codekraft Studio
AntiSpam for Contact Form 7 is distributed under the terms of the GNU GPL

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the LICENSE file for more details.

Resources

  • Contact Form 7 and Flamingo © 2021 Takayuki Miyoshi,LGPLv3 or later
  • B8 https://nasauber.de/opensource/b8/, © 2021 Tobias Leupold, LGPLv3 or later
  • GeoLite2 license
  • GeoIP2 PHP API GeoIP2-php
  • chart.js https://www.chartjs.org/, © 2021 Chart.js contributors, MIT
  • Sudden Shower in the Summer, Public domain, Wikimedia Commons https://commons.wikimedia.org/wiki/File:Sudden_Shower_in_the_Summer_(5759500422).jpg

Contibutions

Mirek Długosz – #30 fixes a crash that occurred when analysing flamingo metadata
MeliEve – #42 Fix “internal_server_error” when message is empty
MeliEve – #61 Handle deferrer script loading
Zodiac1978 – #67 Remove warning for unsafe email configuration w/o protection
JohnHooks – #66 Readme + plugin env

Special thanks

This project is tested with BrowserStack. Browserstack

MaxMind GeoIP2

This plugin on demand can enable GeoLite2 created by MaxMind, available from https://www.maxmind.com
While enabled you may have to mention it in the privacy policy of your site, depending on the law regulating privacy in your state!
* GeoIP2 databases GeoLite2 Country

DNSBL servers privacy policies

Inspirations, links


Screenshots
FAQ
ChangeLog