I agree that seems likely but it is the only contact page and on a relatively new site. Granted the Hash example in not present but the current filters are:
<?php if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_SESSION['loadCount'])) {
// post and session set from home page so do check
$emailCheck = substr($_POST['email'], -8);
if ($emailCheck != "@mail.ru") {
?>
<?php
// honeypot - actual is "comment" (no s).
if($_POST['comments'] =='' ) { ?>
<?php if ($_POST["Topic"] == 1) { ?>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") { //WA Universal Email
$_SESSION['loadCount'] is set on the home page only (though I will likely remove this as it too broad and we do expect people to come to the site from other landing pages).
The @mail.ru does work but is not the only source of fake posts
Honeypot fails
and the pages form is wrapped in a Google reCaptcha
I've gotten to the point of only allowing the email aspect to send if the SelectList choice is #1 since their pattern of posts targets selections value >1
Yet as seen in the attached screen today we received another post (but it was not emailed to the Customer or myself) which also allows us to confirm the page being targetted.
