Support

I've already explained why GeoBlocking is ineffective when we had to remove it. I also explained why alternative GeoIP solutions cannot be pursued.

Regarding your rate limiting idea I can see where you're coming from but it's not a good idea. It would either depend on JavaScript or Referer headers. In the former case submitting a contact form fails if you disable JavaScript. In the latter case you have built a Denial of Service amplifier for your site (because you need to store IPs, URLs and timestamps in a table based on user input, with inevitable collisions and the possibility of crashing the table, therefore your site). It also won't work on forms that use JavaScript to be submitted. There is no way to limit it only on "some" forms unless it's a plugin for each and every contact form solution out there, assuming the contact form component even supports plugins. Furthermore it is actively user hostile: I ALWAYS type my contact request on a text editor before pasting it into the invariably inappropriately sized contact form textbook where I can't see more than half a sentence. So far we have something which blocks and annoys real users, is super expensive to implement and can bring down your site easily. But surely it stops spammers, right?

No. It does not stop spam. Do you think that it's hard for spam bot makers to put a timeout between accessing and submitting a form? Even if you implement keyboard input rate limiting (which makes it even less likely that legitimate users can submit a contact form) it can still be defeated trivially if the attacker uses WebDriver to programmatically control a browser and simulate human typing. It's not that hard. We do that when doing integration testing for software.

Having my fair share of experience with contact forms I can tell you what were the solutions that actually worked to cut down spam:

1. A contact page with a drop-down for contact reasons. The default reason can be called "Unsolicited contact (spam)". Upon submission it should display a message explaining that this category is there to stop spammers and here's what you need to do instead. Humans will figure it out, spam bots won't. Cuts down 95% of spam.
2. CAPTCHA. Don't use stupid solutions like math problems, these are broken. Use hCAPTCHA. There's a Joomla plugin by Peter Martin (db8) on the JED. Cuts down another 3% to 4% of spam.
3. Akismet integration. It's worth the money. It will stop all spam submissions that make it through the first two barriers.

Joomla's contact form doesn't allow for anything except a CAPTCHA. We've written our own contact form called Contact Us which implements the other two ideas. It's available on our download page free of charge.

Akismet is too pricy. $600/yr!!! 

If you are protecting one site, Akismet is $60 per year. If you have more than 10 sites then, yes, you need to pay $600 per year but it’s for an unlimited number of sites.

You also seem to be forgetting something important. Your time is not free. How much time have you wasted already and how much is your billable hour worth?

I added a drop-down on several sites but have still received some spam submissions but it seems to be less.

That’s the idea. Spam will never go away. Some spam is submitted by living, breathing humans. Unless you are using Akismet, which evaluates the contents of the contact form information, you will not be able to stop that.

I have installed the HCaptcha and made it the default but not sure how to change the Recaptcha on the form to HCaptcha.  I tried the Captcha thinking it would pickup from the global settings but no luck. So I 'assume' that HCaptcha only worked with your Contact Us form.

No, it’s just confusing how Joomla implements it :) The default CAPTCHA in the Global Configuration is a legacy option. It’s for components and modules which don’t implement a CAPTCHA type picker. If you edit the Options of a form component it will let you pick which CAPTCHA you want to use (or maybe their CAPTCHA field has that option, depending on the component). Usually you have options like none, default (uses Global Configuration) and a list of the installed CAPTCHA plugins. Choose hCaptcha from that list.

I downloaded the pkg_contactus-2.1.1.zip file and installed it. I went to the component, added a category for 'Staff', added a contact item for one user.  It required me to enter some text in the message.

So I added a menu item to test but it will not allow me to enter any text in the message field.

ContactUs uses the default Joomla HTML editor. You need to configure your site. The simplest thing to do in newer versions of Joomla which disallow HTML input for Guest users is set the default editor to None in Global Configuration.

What I prefer doing is change the Text Filtering options for Guest to allow a minimal set of HTML and set JCE as the default editor. I use JCE’s profiles feature to create a special profile for Guest users which allows minimal HTML editing (bold, italic, underline and very simple links and images). If you don’t have JCE Pro you can use Joomla’s TinyMCE editor. Its plugin does have support for editor profile; create one for Guests. That’s how I have implemented this on my dev site.

You also may have to do some CSS overrides because you have a fixed right hand column and everything feel a tad squished.

Joomla has a CAPTCHA system. It ships with two reCAPTCHA plugins by default but it's not meant to be the only options. Nor is the default CAPTCHA you select in Global Configuration supposed to be the only option you can ever use on your site. You can install and activate third party CAPTCHA plugins, like hCAPTCHA.

Your contact form component should allow you to use any CAPTCHA plugin enabled on your Joomla site. If you are not sure how to do it please ask its developer.

Well, clearly, the problem is with the third party contact form component. I can't really help with third party code, especially form components. There's a reason I am writing my own component whenever I need a form...

Great :) I am glad I could help.

I am most definitely wearing a cloth mask everywhere – even when just taking the elevator to take the trash out. I've bought a UV steriliser to sanitise them too. Best $150 spent when you have three people needing 1-2 masks every day. As for social distancing... I was already predisposed to avoiding large gatherings and close contact. I'm an introvert. "Social distancing" sounds like "finally people started respecting my space and acting a bit more like me" :D