Spam atack - Captcha not working

Hi guys,

I'm new here, so i don't know if this is the right place to post, but here is my problem:

I have a website based on Opencart 1.5.1.3. On every product page, i have a form, so the customers can send inquiries. It's a simple form, 7 text inputs (company, email, etc.) and a send button. This form sends an email to me with the data from those input fields.

Since yesterday I began receiving emails every few minutes with random data like "YchqHvE0". I've tried 2 types of captchas (native opencart captcha and the "google style captcha" extension). It passed both of them. Now i've setup reCAPTCHA and guess what? IT PASSES this one too

For now it's all being sent to a log file so the mailbox stays free, but i don't know what to do. I'm thinking to try the honeypot method (simple captcha hidden by css) and if it get's completed it doesn't send the form

Any idea would be appreciated.

Thank you!

Aye - a hidden form element/hidden captcha sounds like a good thing to add, but if the spam's gone through three methods already, are you sure the PHP is doing everything it should? It sounds like passing the captcha isn't required by whatever is actually handling the feedback form.

What happens if you test it by hand, does the captcha work? What happens if you write a little PHP script to just post everything the form is posting (minus the captcha or with some default value for the captcha) directly to whatever PHP is processing the form?

Hi ogun, and thanks for the quick reply!

At first i also thought that the php isn't validating properly but if i manually enter the values it doesn't pass unless the captcha is correct.

Here is how reCaptcha is implemented.

The form in product.tpl:
Here is the validation function in /catalog/controller/product/product.php

I've stripped everything to the bone and just log if the captcha validation was passed or not, and the POSTarray.
And this is what i get in the log file:

2014-01-15 12:49:25 - CAPTCHA VALIDATION SUCCESSFUL:
fax=>jvILLp95,
oras=>xTI97FYv03Y,
observatii=>Acabei de enviar um permriio e-mail para todos os incritos no curso ate9 agora. Se vocea ne3o recebeu o email, me avise (por aqui ou por email ),
telefon=>Kjpt2xGwOe,
nume=>Oynn2lxO45M8,
email=>wstewart@idahofallszoo.org,
compania=>dmhB1x4S,
recaptcha_response_field=>manual_challenge,
recaptcha_challenge_field=>03AHJ_VuszJKbmyVpIrSwQhoJWZeLLc8g7uNdox2XLAVMPj9wD9SdxHBmuluxRjEzldpk_hDxNu7Zz0AMRwCF34WbdpBh6zArzpjDWCz0yE0zRWEqSk954p3AXSJG3MdOvLCpqABc1sUSJ1kSDA7nFk2gLvbTmoXxtvA,

You can see that captcha was passed, but still the recaptcha_response_field says manual_challenge. This is where the actual text from captcha should be. If i manually enter, recaptcha_response_field gets what i enter....

Thanks again for the time, I'm trying the hidden captcha solution now.

For now it seems the reverse psychology works. The bot enters the captcha and no email is sent but the humans don't see the captcha so the form gets through.

Still i can't figure out why reCaptcha failed. I think they are manually solving those captchas.