I put my website online last Sunday and registered it with Google at the same time. Before that, I didn’t even put a single link to the site anywhere online. And I don’t have any email address on my site, just a mail form that is protected with ReCaptcha v. 2; see https://www.020webdesign.nl/bedrijfsinfo.php.
Still, I got a spam mail within 24 hours. :-((
I can tell that the mail was sent through the mail form, there’s no doubt about that. It seems to have been entered into the form manually (even though I’m not sure about that), but how is it possible that the spammer found my site so quickly?
If it is online it can be found. If you put it on Google and it was crawled, it can be found. Sorry to hear that the spammers are getting you early. Keep in mind that spammers also have their own bots and so could crawl your site any number of ways.
I wouldn’t waste your time on just the how, but plan for the eventual spam you will get.
The whole point of listing your site with Google is to allow it to be found more easily. So in that respect you got what you asked for.
If there is an actual human writing spam manually, there isn’t much you can do about that as they should be able to pass any Captcha. Though in my experience manual spam is very rare, it is usually bots which can be stopped.
But then Google must publish a list of newly registered sites every day, to which spammers subscribe or have access, doesn’t it? Because how else did the spammer know of my site? Like I wrote, I didn’t put any link to it online yet, because I’m still testing it and having it reviewed.
And the spammer was a company that sells a product to all businesses that have a website. I’m just worried that I will get much more spam, despite of my ReCaptcha-protected form.
How can they be stopped then? I thought that ReCaptcha v. 2 was the best spam protection except for v. 3? I also need to know that for my future customers. If don’t wanna sell them a ReCaptcha-protected form at a surcharge if it doesn’t work.
Captcha should stop bots, but if you have human spammers, that’s hard to stop, because what Captcha does is stop bots and let humans pass.
There are some methods that can be used, such as filtering for certain words or phrases if the spam follows common themes, filtering problem IPs, setting a timer between form load and submission, that is usually very effective against bots, but it may used to catch copy/paste spammers too if you set the right cut-off interval (and if that is how they are working).
Anyone feel free to add any more methods…
In all honesty I don’t know, but it’s probably not as difficult as you think. There are tools out there that claim to let you scan every (IPv4) address on the internet in less than 45 minutes.
Again, probably not as difficult as you think. There are various projects and services dedicated to bypassing captcha.
Did this happen to you? I’ve no idea. What you’re describing seems weird (that a spammer could find your unpublicized site and bypass your antispam measures), but not impossible. But like Martyr2 says, I wouldn’t waste your time fretting about it, rather prepare for the inevitable spam that will come and work out the best way to mitigate it.
And in that vein I find captchas to be a right PITA. They are notoriously inaccessible to people with certain types of disabilities (admittedly that article is a bit dated, but the point remains). I much prefer honeypots/bot traps which don’t impact the user experience, but are still effective against spam.
P.S. I used to have a contact form on my site that I took down due to spam. This stopped the majority of the mails I was receiving, but even with the contact form plugin uninstalled, I still received the occasional spam mail. I remember finding this very strange, as the address the contact form emails were sent to was never publicized anywhere on the internet.
I have taken the same approach on contact forms using my own hand-made bot traps that a normal user is oblivious to. So far it has been 100% effective against spam. It’s not that they are not trying, I set it up to report failed attempts by bots, so I know they do try, but also which traps are catching them. The most effective one going by results is the timer.
On another forum it was suggested that (employees of) site hosts sometimes sell newly claimed URLs to certain parties. That might just have happened here, also because the spam mail that I got was from a company that offers a service to new-website owners. And I’m quite confident that the spam message was entered manually.
So, I replaced with it with a honeypot. Thanks for the tip! I’ll let you know in a couple of months how that worked out, but so far, so good.