DEV Community: 🐾 Onar A.

Stop spam on Webflow contact forms using Zapier and OOPSpam

🐾 Onar A. — Sun, 05 Feb 2023 23:50:57 +0000

Intro

Webflow is a popular website builder that allows users to create websites through a drag-and-drop interface. While the platform provides a reCaptcha field to add spam protection to its contact forms, this may not always be effective. reCaptcha and other captcha solutions are becoming increasingly irrelevant due to the availability of services that can solve them for a low cost.

To tackle this issue, this article presents an alternative solution to prevent spam submissions in Webflow contact forms. The approach involves using automation tools such as Zapier or Make to capture form submissions, then filtering them through a spam filter before finally sending an email notification to the user.

Chose your automation tools (Zapier, Make, etc.)

I'll be using Zapier for this tutorial, but you can do this with Make or any other automation platforms.

If you wish to skip the steps below, use the template we created for a quick start.

Zapier will walk you through the configuration for all 4 steps: Webflow -> Spam check with OOPSpam -> Filter -> Email by Zapier.

Filter should be configured by default. The filter is straightforward with just one rule: continue processing only if the Spam Score is less than 3.

Configuring Webflow Zap

I made a simple website using a pre-built template. It includes a working contact form.

Once we connect our Webflow Zapier app to our Webflow account, we should be able see our contact form.

In order for Zapier to recognize your contact form, you must publish your website and submit at least one form submission. Otherwise, your contact form will be hidden.

To configure Webflow with the Form Submission event, follow these steps:

Select Webflow Zap and then under Event, select Form Submissions.
Select Choose account to connect your Webflow account.
Fill in the Site Name and Form Name fields.
Your first submission will be populated at Test trigger. Check to see if you get the We found a submissions! message.
You're finished! The following step is to check for spam.

The first submission will also appear as test data when you set up Webflow for the first time.

Checking for spam with OOPSpam

To set up spam protection, follow these steps:

Register for an API key on the OOPSpam dashboard.
In Zapier, enter the API key when prompted on the "Choose Account" step.
Map necessary form information to OOPSpam's fields:
- Content: This is where the form message goes.
- Sender IP: Leave blank.
- Email: Map the form submitter's email here.
- Allow messages only in these languages: Select any languages you expect to receive form submissions in.
- Allow messages only from these countries: Filter submissions by country.
Test the action and use the returned "Score" to approve or reject submissions.

See the GIF below for a visual guide.

Filtering with Filter

The "Filter" app in Zapier sets conditions for your automation flow to continue.

In this case, the condition is that the "Score" (or Spam Score) must be less than 3. This ensures that only emails with a low spam score will continue through.

Alternative Approach: Store Spam Submissions in Airtable

Instead of using the Filter app, you can use the Paths app to take different actions based on whether the submission is considered spam or not. Here's an example:

Path A: If the Score is less than 3, then send an email.
Path B: If the Score is greater than or equal to 3, then create a record in Airtable to store the spam submission for later review.

This alternative approach stores all spam submissions in Airtable for future analysis. You can use another platform like Google Sheets if desired.

It's important to note that scores of 3 or higher should be considered as spam, while scores less than 3 are considered non-spam.

Send an email to yourself with Email by Zapier

The final step is to set up the Send Outbound Email to notify yourself of new submissions.

In order to send the email, you need to map the required fields to the data from the Webflow contact form submissions. The required fields are:

To: Your email address (up to 5 emails can be added).
Subject: The name of the form.
Body: The email body can be in HTML or plain text. In the example, the data points (email, name, message fields) are separated by line breaks using the
HTML tag.
Reply To (optional): This field is not required, but it makes responding to submissions more convenient. The sender's email can be added here so that you can simply click the "Reply" button in your email client if you want to respond to the submission.

Once you have set up the email, test it to see if you receive the first submission. You can also use other email services such as Postmark or Mailgun instead of Email by Zapier.

Final thoughts

This was a basic workflow to filter spam in your Webflow contact forms using Zapier. You can also use other platforms to automate the process. Plus, you can add extra steps and conditions to make it more complex, such as sending an automated email response to the visitor confirming successful submission.

7 ways to stop spam on your website

🐾 Onar A. — Thu, 24 Jun 2021 10:46:26 +0000

Feeling overwhelmed by the amount of spam you are getting on your website? You're not alone.

This article doesn't list every spam detection strategy under the sun.

Instead, it lists some of the tactics we use at OOPSpam and many more proven to work ones. These are methods that stopped over 1M spam with 99.8% accuracy.

Let's get to it

1. Honeypot: filter spam with a hidden field

It is the oldest trick in the book. The honeypot technique is easy to understand and implement. It works both for forms and comments. Here is a simple illustration that shows how honeypot spam filtering works.

A spam bot submits a form by making sure that every field or at least the ones that are required is filled so, no form validation prevents it from submitting. The honeypot technique relies on this assumption.

🎯 Many people use honeypot technique and get near-zero spam. As your website gets more traffic or for some reason your website ends up in a spammer's database, you may get hit by more "serious" bots which could easily bypass honeypot. Remember, honeypot tactic won't work against manually submitted spam by human.

Implementation

Create a form with fields (name, email, etc.)
Include a hidden field(s)
Check in your backend, if the hidden field is NOT empty then it is spam
Done! 🎉

Make sure to hide the field properly. Bots can detect which field is hidden and avoid filling it.

ℹ️ Here are few tricks to make it harder:

Do NOT use display:none, instead hide them by pushing them out of a screen or applying opacity: 0; position: absolute; to the field. Be aware of accessibility issues.
Do NOT use obvious class names like hidden, invisible
Do NOT use obscure field names for hidden fields. Use email, name, phone, etc. instead.

and here is one way to do it:

2. Spam Words: check content for malicious words

All spam messages want you to do something for them. Let it be SEO, Website development offers, selling, and advertising products. That means they tend to use the same words such as "free", "get it now", "100%", "SEO".

Of course one can argue that these words could certainly be used in legitimate messages, and they do appear. So, how effective is it to flag a message as spam based on spam words?

In our experience, it depends on how you implement it. It is important that:

You look for a combination of words instead of a single word. Such as "get it now" instead of "get".
Consider a threshold for the number of spam words in the content.
Consider the frequency of spam word in a content

Take a look at some of the spam words we published.

3. Captcha: Solve an interactive problem

You are presented with a puzzle, math problem, or simple game to complete. Once you complete the task you are allowed to submit a comment or purchase a product.

Captcha techniques usually work two way:

Forces bots and humans to wait a certain time (aka rate-limiting) by solving a puzzle.
Tracking a user behavior and decide if it is a bot
A simple problem that only humans can solve (text-based).

While the third option still in use, it is not sufficient anymore. Bots got better and can easily solve math problems and read obscure letters nowadays.

The most widely used and still somehow reliable approach is to represent an interactive puzzle, game-like captcha. This is a combination of both the first and second captcha types. There is a good chance you have already seen these types of captchas. The idea behind this is that while you are busy solving a puzzle, the captcha collects certain information about your behavior like mouse movement on a website and browsing history. The bots don't like to wait for a few seconds. They have to move to the next website and act fast to submit spam as many websites as possible.

Combined your website behavior and browsing history information with a couple of seconds waiting time results in the final decision about the user (spam or not).

The most notable captcha solution is reCaptcha and hCaptcha (offers better privacy).

🎯 Captchas tend to have accessibility and privacy issues. It may also negatively affect your conversion rate.

4. IP-based filtering: check for blocked spammer IPs

There are services such as Spamhaus that keep a list of known spammer IPs. Spammers change their IPs often to avoid being blocked. However, blocking based on an IP is still a powerful way to block spam that is because a wide range of websites reports these IPs to these services.

At OOPSpam, we receive thousands of spammer IPs every day. From our experience, over 60% of spam are detected solely based on IP. That being said relying entirely on an IP-based filtering may not be the best protection.

🎯 Keep in mind that some legitimate users may use VPNs or proxies which tend to be used by spammers as well. That is why you may unintentionally restrict legitimate visitors.

5. Country and Language restriction

It is a simple and yet robust way to filter spam from your website. There are two approaches for this:

Using DNS based solutions like Cloudflare that could block access to your website from selected countries
Allow visitors from every country to view your website but restrict submissions (contact form, comment, etc.) only.

Both approaches work great but if you want to be open to every country then the second option is the way to go.

Another less known way to block spam is by languages. Similar to country restriction, by simply allowing submission in a certain language. If you expect comments on your website to be in English, letting comments only in English through could potentially eliminate unnecessary work.

6. Machine Learning to filter spam content

This is a more advanced solution that can be hard to implemented and most importantly find a proper data set to train an ML algorithm.

Filtering spam using ML is a rather well-documented process especially with Bayesian Filtering, however, if you want a good result (high accuracy) then you need to have a well-defined and clean data set which may be hard to find.

That being said no matter how good the data set is, spammers also get better at customizing their messages. Especially with the recent development with OpenAI's GPT-3 shows that AI can generate genuine-looking, human-like, custom messages. This could make spam detection using Machine Learning algorithms harder.

7. Rule-based spam filtering

Rule-based spam filtering is static and predefined rules to catch spam. It's one of the simplest forms of spam filtering. This technology has been around since spam started appearing in our email inboxes. One notable example of a rule-based spam filter is Spam Assassin for emails.

The more you deal with spammers, the more you learn how they operate and what are the common patterns. Besides the above-listed tactics, there are many other small ways to detect spam. Sometimes, these rather insignificant rules spot spam before it reaches other more advanced analyses.

Technically, some of the mentioned methods in this article can be categorized as rule-based such as country & language restriction, honeypot, spam words.

Here are some easy-to-implement rules you could consider (besides the ones above):

URLs in a spam message

Many spam messages have URL(s) to get you to click on them. Does a message has a URL in it? It could be spam. Be careful with this though, you may end up blocking legitimate messages. It is important to check the reputation of URLs instead of flat-out blocking them. You could use WOT or Safe Browsing for this.

URL shortening services

We are all seen URL shortening services that are used by spammers.

Although not all URL shortening services are malicious. Some shortening services are for local use only, meaning they are not open to the public. For example, when you generate a short URL for your Dropbox image or Google Docs. So, be aware of this fact when you set a rule.

🎯 A rule-based spam filtering is a powerful alternative to stop spam. It has been used for decades but, make sure you reconsider your rules once in a while to avoid flagging legitimate messages.

Final thoughts

There isn't a single solution for the spam problem. Spam messages on the web are different from spam in emails. To encounter them we need to use multiple approaches.

Most of these tactics we already use at OOPSpam and found them very effective when used in combination.

Happy spam-free day!

My anti-spam API product stopped over 1M spam with %99 accuracy, and here are things I learned

🐾 Onar A. — Mon, 12 Oct 2020 13:27:44 +0000

OOPSpam Anti-Spam API made its next milestone. It processed and filtered over 1 000 000 spam messages with %99 accuracy. This is big for me. When I launched the project's commercial version in 2019, I couldn’t imagine it will reach this point. In 2017, I was doing research in this area as part of my master’s degree in Italy. Studying and digging research papers from Semantic Scholar and Google Scholar.

The first version of OOPSpam was a collection of APIs that merged into one. Nowadays, It is a standalone SaaS with powerful analysis capabilities.

After seeing so many different kinds of spam content, I relearned and abounded some lessons I got from my previous academic experience. In this article, I will lay out some thoughts about spam and their nature.

It is a hard problem but …

Just when you think you have a way to completely solve this problem, a new wave of spam campaign proves you otherwise. Many companies struggle to tackle this issue. The problem is that there are usually two types of spammers: manual (human) and bot. While a bot crawls the web and submits messages to millions of websites, manual spammers go to a website and submit their content.

I would still go ahead and claim that it is possible to reach a nearly perfect result with well-polished rules, Machine Learning models, content and IP analyses (that is how OOPSpam has 99% accuracy :) ). It is rather a strange problem. I can show a form submission that you would categorize it as spam but it is certainly not spam for someone. This brings us to my next point.

One Man's Trash Is Another Man's Treasure

As Anti-Abuse Engineer, I dealt with a variety of spam. From a plain old spam to well-written, grammatically accurate (better than this article for sure) spam. Believe it or not, some people want to get SEO offers through their contact forms. Most people I know hate this kind of spam. So, how a spam-filter should approach this problem?

Well, one way is: Let them decide themselves. OOPSpam produces Spam Score, the output from a variety of analyses. It is up to OOPSpam users to adjust spam sensitivity. Spam Score isn’t a new invention or any things but it is a rather forgotten one. You see, Spam Score was a standard back when people fought with email spam (well, they still do). For some reason, this method is abundant (perhaps for simplicity) over True/False, Spam/Not Spam for web spam. Web spam is a difficult problem because seemingly spam-like messages are not spam for many, so you may end up filtering out your potential customers’ message.

Who are those manual spammers?

There are companies people pay to spam you. This is a million-dollar (estimated to be over $3M per year) industry. I recall seeing a contact form submission where a company offers to send 1 million messages for $49. What is problematic about human spammer is that the traditional techniques like captcha, the honeypot will not work. They will solve the captcha, fill the form, and submit it just like any other legitimate visitor would. To detect this kind of spam message are not easy. Machine Learning models alone tend to fail to detect these messages as they are trained to recognize a certain group of spam content. You need a set of different analyses to detect them. A combination of ML models and rule-based spam filers seems to work better.

Spam bots are getting smarter

Ah... Bots. A nice little script usually enough to stop them. At least it used to be. Today, they also solve a captcha, bypass honeypot. Did I mention there are AI-based spam solutions? Here is a small paragraph from the article, just to acknowledge how crazy things may get:

"... Neural networks that can read text, understand the context of an image and write believable messages all without human interaction so spammers can build more realistic, personalised messages, making it more difficult to filter them out from legitimate mail ..."

So, both spammers and anti-spam filters are using the same technology to fight each other. As a result, more and more studies are needed to fight this new type of spam.

Final thoughts

I am happy how OOPSpam API progresses. There are still lots of work that needs to be done. First and foremost, now the API is served through RapidAPI as I was focusing on the actual problem. But it seems like many people do not want to deal with RapidAPI. So, this ought to be addressed. Also, hoping to write more blog posts about spam prevention techniques.

3 top open-source comment systems and their anti-spam capabilities

🐾 Onar A. — Fri, 27 Dec 2019 11:58:55 +0000

We'll talk about different comment systems and how they fight spam. Finally, at the end of the article, we will see what you can do about spam in such comment systems.

First I thought writing on how to integrate spam filter to one of those open-source comment systems. Then, I convinced it would be probably more helpful to put together a nice list of open-source (and free) comment systems and describe the way they fight with spam.

There are many options, some runs hell a lot of ads on your blog, some collect as much data possible about your visitors. Some ask for sign up, some don't. I will list a few good ones, you can, of course, go ahead and check their functionality on their website or different blogs. But this blog post is going to talk about How they approach spam protection in their system.

Open-source and free comment systems

Isso

Isso is an open-source, self-hosted and completely free. It comes out as "a commenting server similar to Disqus". Instead of writing a long paragraph I'm going to list main points:

It's written in Python
Supports all major browsers including IE10 (yep, people still use it).
Comments support Markdown
Admin panel to moderate comments
Works with SQLite database
Support Disqus & WordPress Import
Small size 40kb (12kb gzipped)
Basic spam protection

Why choose Isso as your comment system:

No ads, no tracking
Open-source, free & self-hosted
Allows anonymous comments
Fast and lightweight

Spam filtering in Isso comment system

Now, let's talk more about anti-spam capabilities. Isso comes with basic built-in spam protection. There are not any content or IP analyses. The only way you can protect yourself is to have a rate limit per IP. Let's say, 2 comments per minute. This is the place where you could also require email, author and email fields so no more anonymous comment.
You can activate these limitations on your config file (e.g isso.conf) by adding Guard parameter with appropriate fields :

[guard]
enabled = true
ratelimit = 2
direct-reply = 3
reply-to-self = false
require-author = false
require-email = false

Read more about Guard parameters on the Isso official documentation.

Schnack

Here is another alternative to paid comment systems. Just like Isso, Schnack is an open-source, free, self-hosted comment system. Here are the main points:

It's written in Javascript (Node.js)
Really small packaging, 8KB
Doesn't allow anonymous comments
Supports third-party authentication (Github, Twitter, etc.)
Works with SQLite database
Admin panel to moderate comments
No explicit spam protection, asks for authentication
Support Disqus & WordPress Import

Why choose Schnack as your comment system:

No ads, no tracking
Open-source, free & self-hosted
Integration with third-party authentication providers (Github, Twitter, Google, and Facebook)
Trust list (a way to allow some people to comment without approval from admin)
Fast and lightweight

As you can see, Schanck and Isso are pretty alike as both of them self-hosted, open-source and free. So, it is hard to tell why someone would choose one over the other. However, there are some differences such as Schanck's backend is on Node.js while Isso's is on Python. Schanck is smaller in terms of package size. While Isso supports anonymous commenting Schanck doesn't.

Spam filtering in Schanck comment system

The author of Schanck answers this concern on his blog post.

As Schanck doesn't support anonymous commenting and requires to sign up through one of the third-party providers which prevents spambots to comment on your blog. However, spammers are not always spambots. Many spammers are real people. There are services where you can hire people very cheap ($1 per hour) to spam. For these kinds of spammers, you cannot do much with third-party authentication.

Remark42

Remark42 looks pretty promising. It is self-hosted and lightweight. The backend is written in Go and the frontend is in Node.js.
Remark42 supports an anonymous comment, social login through Twitter, Github, etc, Voting, moderating comments and a bunch of other features. I would say Remark42 offers everything and more than all 2 options above. Check the official website for the full list of features.

Spam filtering in Remark42 comment system

As Remark42 allows optional anonymous commenting, anti-spam measurements need to be taken. There is not any built-in spam filter unless you disable anonymous commenting.

Spam filter for open-source comments system

One of the most liberal perks that come with open-source projects is the ability to integrate. You can build own anti-spam filter with various rules such as honeypot, captcha or use third-party solutions like OOPSpam Anti-Spam API.
The main reason why people don't want to use paid services like Disqus is privacy. For many, It is important to keep your data on your server while serving ad-free comments. Having anonymous comments are certainly good to have in your comment system, however, this also enables spammer to post on your blog post.
That being said, some paid comment systems such as Commento is a privacy-focused solution. They rely on a subscription model instead of an advertisement. Commento uses Akismet as a spam-filter which is a red flag considering Akismet requires to submit your blog URL, user's IP and user agent on top of the other optional parameters such as server information (such as $_SERVER in PHP).

All in all, these are the main open-source, self-hosted and free comment systems in the wild.

Happy spam-free day!