Joomla Spam Sending - Spam Protection for Contact Form and Registration

Joomla spam contact form and registrationsIn the past, Joomla has gained a bit of a reputation as a spam relay. Unjustifiably so, because the issue can be solved with simple measures! Cyberattacks are commonplace on the internet these days. All the more important to protect yourself against them.
As soon as a new website appears in the Google index, it begins - the first bots stop by. Apart from search engine bots, their visits are rarely beneficial. Among the most annoying are spambots - always on the lookout for unprotected forms.

In the standard setup, Joomla has three forms without active spam protection out of the box.

Joomla is sending spam - where are all these emails coming from?

Joomla includes the following features that may be responsible for excessive email sending:

  • Contact forms (recognizable by 'This is an email inquiry via' ...)
  • User registration (spam sign-ups)
  • Recommendation feature (send email to a friend)

It does not matter whether the contact form or registration is actually integrated into the site. The direct links work even without any menu link.

The contact form’s 'copy to sender' function is particularly dangerous. It can be used to send emails with any content to any email address - an open invitation for spammers. It is therefore better to do without this feature.
The setting for this can be found under Components -> Contacts -> Options (top right) in the Form tab.

Clearly identifying the cause through access log analysis

Every form submission appears in the web server access logs as a POST request. If you review them, you can see the exact URL through which the spam sending is taking place. For the analysis, feel free to use our Log Analysis Tool tool.
In this example output, the contact form (com_contact) would be the cause:

form submits email sending

Spam Protection Solutions

OSpam-a-not - Honeypot & Time Delay 🍯

Prevent Joomla spamA very simple way to protect Joomla sites from spam is the OSpam-a-not plugin by Joomlashack. Regardless of the extension used, it equips all frontend forms with a honeypot and a time delay.

A honeypot is a hidden field that is not visible to normal visitors but is filled in by most spambots. If that happens, the form cannot be submitted. In addition, a time delay can be set (e.g. 3 s), requiring the page to remain open for a minimum time before the form can be sent. Spambots usually act faster.

The plugin can be installed via the web catalog in the backend or downloaded here: https://extensions.joomla.org/extension/ospam-a-not/

The last version compatible with Joomla! 2.5, version 1.1.7, is available at GitHub.

Built-in spam protection - integrate ReCAPTCHA v2 / v3 via plugin

Joomla reCAPTCHA spam protectionMit dem ReCAPTCHA Plugin bietet Joomla bereits von Haus aus einen effektiven Formular Spamschutz. Um das Plugin nutzen zu können, muss es vorab im Backend unter Erweiterungen -> Plugins -> Captcha - ReCAPTCHA aktiviert werden.

Configuration requires an API key pair consisting of the 'Website Key' and the 'Secret Key'.
You can get the key pair here:
https://www.google.com/recaptcha/admin


After that, the ReCAPTCHA plugin can be set globally as the default captcha in the Joomla system configuration. This integrates it into both the contact form and user registration. Newly created unknown users and contact form spam should then be a thing of the past.

Joomla 2.5 ReCAPTCHA v2 Fix

For Google's ReCAPTCHA v2 to work on an old Joomla 2.5 system as well, an adapted /plugins/captcha/recaptcha/recaptcha.php must be uploaded. By default, only v1 is supported (discontinued by Google).
You can download the file here.
For the upgrade to Joomla 3.10.12, we would be happy to provide you with an affordable quote.

Prevent spam registrations from the outset

The vast majority of Joomla sites do not need a user registration feature at all. Spam users are usually created with non-existent email addresses. This is the reason for Mail delivery failed: returning message to sender Email bounces that occur in large numbers along with user registrations.
Under Users -> Manage -> Options (top right), registration can be disabled.

Delete thousands of unknown users from the database

Depending on how aggressive the spambots are, without protective measures there may already be several thousand unknown users. Deleting them via the backend is then tedious to nearly impossible.
With this SQL command, all user accounts that are not active are deleted in one go (replace #__ with your table prefix):

DELETE FROM `#__users` WHERE `lastvisitDate`='0000-00-00 00:00:00'

Advanced spam protection with EasyCalcCheck Plus (ECC+)

In contrast to the core plugin, ECC+ Viktor Vogel also offers a variety of third-party extensions directly.

One of the most important and very useful features is the configurable time delay. For example, this can be set to 5 seconds - and that alone is enough to stop most spambots in their tracks. Normally, only 2-3 seconds pass between opening and submitting the form.

Currently, in addition to the core extensions (registration + contact form), the following extensions can be protected:

  • aiContactSafe
  • ALFContact
  • Community Builder
  • DFContact
  • Easybook Reloaded
  • Fox Contact
  • Flexi Contact
  • Flexi Contact Plus
  • IProperty Real Estate
  • JomSocial
  • Kunena Forum
  • Phoca Guestbook
  • Virtuemart

Instead of ReCAPTCHA v2, math questions and custom questions can also be configured. In addition, various other anti-spam services and protection settings can be used. When it comes to spam protection, EasyCalcCheck+ is the all-in-one solution.

Set up spam protection - we’ll take care of it for you!

If you do not want to deal with it yourself, we will be happy to install effective spam protection for you.
As part of our 30 min Quick Support the cost is only €59 incl. VAT.

[ Start live chat ] This email address is being protected from spambots. You need JavaScript enabled to view it.

Image credit: master1305 - Fotolia.com

Details
Last Updated: 30 August 2018

Additional services

What customers say about us

“Migrating our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and delivered flawless results. Very good and friendly communication.”
– H. Bergmann

“Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars.”
– Fernando V.

“I didn’t know how to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out — all extremely affordable, fast, and done well!”
– Klaus-Peter

“The site looks great — everything just like before — and now running on PHP 7.2 — I’m impressed. Many heartfelt thanks!”
– Dr. Ingo Wuddel

“Since we run an online shop, it was very important for us that our site was quickly available again to our customers with full functionality. All work was carried out extremely quickly and to our complete satisfaction.” – Löwen Handels GmbH

“Very fast, professional, and solution-oriented handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.”
– Heino B.

“The communication was especially friendly, and some additional cosmetic work was taken on proactively — as if it were the most natural thing in the world. I’m relieved and very grateful.”
– R. Mayer

“Superb. In an absolute emergency, when 2 domains were suspended by Strato due to a hacker attack, both domains were temporarily put back online the very same day.”
– I. Radchenko

“Outstanding service. Problem solved within 18 hours. We’re delighted. Thank you very much 🙏”
– Tien Sy Vuong

Website-Bereinigung.de Support Service
5.0 205 Reviews > 5
Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm