SaaS CMS has officially launched! Learn more now.

Increased Suspicious Form Submissions with Episerver reCAPTCHA



I'm currently grappling with an issue concerning my Episerver form, which integrates a reCAPTCHA element. The reCAPTCHA keys are configured on the Google Console and have been functioning seamlessly. However, in recent days, the site has experienced a significant uptick in form submissions, seemingly originating from bot accounts. These submissions are raising suspicions as they deviate from the typical behavior of genuine users.

I have a couple of specific questions:

  1. Do I need to implement custom server-side validation when using the reCAPTCHA element within EPiServer forms, or is it sufficient to include the reCAPTCHA element with a higher score as part of the form setup?

  2. Is there an ideal score that is advisable when the form is open to submissions?

I've experimented with setting the score to 1.0, which at times blocks genuine requests. Therefore, I reverted to the default score of 0.5. Given the ongoing issue with constant bot account submissions, I've increased the score to 0.6. While I understand that this might not resolve the issue overnight, it serves as a starting point to monitor whether bot submission counts decrease with a score of 0.6. I plan to adjust it further if necessary.

Any insights or guidance on these matters would be highly appreciated.

Edited, Feb 23, 2024 22:09

FWIW, you're not the only one seeing an increase in reCAPTCHA failures / bot + spam submissions recently:

For your first question, I don't believe there's any custom validation you should need to add, should be able to just use the form element -- that should automatically add the Google JS to enable the reCAPTCHA.

For the second, this stackoverflow thread has some thoughts -- one approach is basically what you're doing: start at 0.5, and then adjust as-needed (and based on details from the Google admin console).

Feb 23, 2024 23:10

You could also consider implementing a simple honeypot to try and filter out real submissions from bot submissions: 

Feb 24, 2024 15:54
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.