[Case] ​​Bitrix spam in forms of standard component

[mdabuhasan]

We tell you how to fight spam using the standard Bitrix component "Web Forms" even in cases where captcha does not help.
One of the projects written in BUS implemented feedback forms through the standard bitrix:web.form component.

On top of this we used JS field validation, a phone mask based on jquery.maskedinput.js and Google Recaptcha 2.0 which was initialized and enabled via the form component settings.

We encountered the fact that spam was coming into the feedback phone number library forms every day, which bypassed all our validators and passed the captcha.

Having analyzed the situation, we agreed that these are mass spam mailings, despite the presence of Recaptcha. Bots have long learned to bypass captcha by filling it in, this is not a secret, but from interesting features we noticed that the "Phone" field contains letter values, which means that our validator and mask do not work.
The idea that bots load the page without JS seemed dubious, because without verification of the captcha, the form is not sent.

The case is as strange as it would seem, with JavaScript - the bot will encounter validation and masks, without JavaScript - it will not see the captcha, and therefore will not be able to send data.
We decided not to look for logic where there is none - we began to go through different options for additional form protection. First, we implemented validation and masks in the page body, it did not help.
We hung Recaptcha 3, it did not help.
We wrote a validator inside Bitrix, used patterns - it did not help.

Spam decreased when we added an invisible field with the value required and disabled, and used scripts to remove the mandatory filling (required attribute).
That is, for a regular visitor, the form will be sent without problems, he will not see this field, but for a bot without JS, there will be a mandatory field that is disabled, which means the submit button is inactive.
Bitrix how to stop spam
The final solution is to add invisible fields (NOT display none, which bots can detect, but invisible due to styling) to all forms, when filling them out we understand that this is spam and the data is not sent to the mail.
The code must be placed in init.php, it will work on absolutely all forms called using the bitrix:form component