From 367d4d78d7476c6894514aeb97f9aced89c9edec Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Wed, 29 May 2024 18:30:05 +0200
Subject: [PATCH 1/8] Use an event for the spam check during registration

---
 .../files/lib/bootstrap/com.woltlab.wcf.php   |  5 +++
 .../user/RegistrationSpamChecking.class.php   | 27 ++++++++++++++++
 .../files/lib/form/RegisterForm.class.php     | 32 +++++++++----------
 ...istrationSpamCheckingSfsListener.class.php | 28 ++++++++++++++++
 4 files changed, 76 insertions(+), 16 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
 create mode 100644 wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php

diff --git a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
index 8a7b127088a..1c29b4a72a7 100644
--- a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
+++ b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
@@ -33,6 +33,11 @@ static function (\wcf\event\session\PreserveVariablesCollecting $event) {
         \wcf\system\event\listener\UsernameValidatingCheckCharactersListener::class
     );
 
+    $eventHandler->register(
+        \wcf\event\user\RegistrationSpamChecking::class,
+        \wcf\system\event\listener\RegistrationSpamCheckingSfsListener::class
+    );
+
     $eventHandler->register(
         \wcf\event\package\PackageListChanged::class,
         static function () {
diff --git a/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php b/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
new file mode 100644
index 00000000000..fd1fbf309b4
--- /dev/null
+++ b/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace wcf\event\user;
+
+use wcf\event\IInterruptableEvent;
+use wcf\event\TInterruptableEvent;
+
+/**
+ * Indicates that a registration by a new user is currently validated. If this event is interrupted,
+ * the registration is considered to be a spammer or an undesirable user.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class RegistrationSpamChecking implements IInterruptableEvent
+{
+    use TInterruptableEvent;
+
+    public function __construct(
+        public readonly string $username,
+        public readonly string $email,
+        public readonly string $ipAddress
+    ) {
+    }
+}
diff --git a/wcfsetup/install/files/lib/form/RegisterForm.class.php b/wcfsetup/install/files/lib/form/RegisterForm.class.php
index ccce21d216a..01d2a12e207 100644
--- a/wcfsetup/install/files/lib/form/RegisterForm.class.php
+++ b/wcfsetup/install/files/lib/form/RegisterForm.class.php
@@ -6,11 +6,11 @@
 use wcf\acp\form\UserAddForm;
 use wcf\action\EmailValidationAction;
 use wcf\action\UsernameValidationAction;
-use wcf\data\blacklist\entry\BlacklistEntry;
 use wcf\data\object\type\ObjectType;
 use wcf\data\user\group\UserGroup;
 use wcf\data\user\User;
 use wcf\data\user\UserAction;
+use wcf\event\user\RegistrationSpamChecking;
 use wcf\system\captcha\CaptchaHandler;
 use wcf\system\email\Email;
 use wcf\system\email\mime\MimePartFacade;
@@ -89,6 +89,7 @@ class RegisterForm extends UserAddForm
      * list of fields that have matches in the blacklist
      * @var string[]
      * @since 5.2
+     * @deprecated 6.1
      */
     public $blacklistMatches = [];
 
@@ -108,6 +109,11 @@ class RegisterForm extends UserAddForm
      */
     public bool $termsConfirmed = false;
 
+    /**
+     * @since 6.1
+     */
+    private RegistrationSpamChecking $spamCheckEvent;
+
     /**
      * @inheritDoc
      */
@@ -210,17 +216,12 @@ public function validate()
             throw new UserInputException('registrationStartTime', []);
         }
 
-        if (BLACKLIST_SFS_ENABLE) {
-            $this->blacklistMatches = BlacklistEntry::getMatches(
-                $this->username,
-                $this->email,
-                UserUtil::getIpAddress()
+        $this->spamCheckEvent = new RegistrationSpamChecking($this->username, $this->email, UserUtil::getIpAddress());
+        EventHandler::getInstance()->fire($this->spamCheckEvent);
+        if ($this->spamCheckEvent->defaultPrevented() && BLACKLIST_SFS_ACTION === 'block') {
+            throw new NamedUserException(
+                WCF::getLanguage()->getDynamicVariable('wcf.user.register.error.blacklistMatches')
             );
-            if (!empty($this->blacklistMatches) && BLACKLIST_SFS_ACTION === 'block') {
-                throw new NamedUserException(
-                    WCF::getLanguage()->getDynamicVariable('wcf.user.register.error.blacklistMatches')
-                );
-            }
         }
 
         if (REGISTER_ENABLE_DISCLAIMER && !$this->termsConfirmed) {
@@ -407,7 +408,7 @@ public function save()
         // generate activation code
         $addDefaultGroups = true;
         if (
-            !empty($this->blacklistMatches)
+            $this->spamCheckEvent->defaultPrevented()
             || (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && !$registerVia3rdParty)
             || (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN)
         ) {
@@ -425,7 +426,6 @@ public function save()
                 'username' => $this->username,
                 'email' => $this->email,
                 'password' => $this->password,
-                'blacklistMatches' => (!empty($this->blacklistMatches)) ? JSON::encode($this->blacklistMatches) : '',
                 'signatureEnableHtml' => 1,
             ]),
             'groups' => $this->groupIDs,
@@ -442,11 +442,11 @@ public function save()
         WCF::getSession()->changeUser($user);
 
         // activation management
-        if (REGISTER_ACTIVATION_METHOD == User::REGISTER_ACTIVATION_NONE && empty($this->blacklistMatches)) {
+        if (REGISTER_ACTIVATION_METHOD == User::REGISTER_ACTIVATION_NONE && !$this->spamCheckEvent->defaultPrevented()) {
             $this->message = 'wcf.user.register.success';
 
             UserGroupAssignmentHandler::getInstance()->checkUsers([$user->userID]);
-        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && empty($this->blacklistMatches)) {
+        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && !$this->spamCheckEvent->defaultPrevented()) {
             // registering via 3rdParty leads to instant activation
             if ($registerVia3rdParty) {
                 $this->message = 'wcf.user.register.success';
@@ -463,7 +463,7 @@ public function save()
                 $email->send();
                 $this->message = 'wcf.user.register.success.needActivation';
             }
-        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN || !empty($this->blacklistMatches)) {
+        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN || $this->spamCheckEvent->defaultPrevented()) {
             $this->message = 'wcf.user.register.success.awaitActivation';
         }
 
diff --git a/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php b/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php
new file mode 100644
index 00000000000..03110c4a0aa
--- /dev/null
+++ b/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace wcf\system\event\listener;
+
+use wcf\data\blacklist\entry\BlacklistEntry;
+use wcf\event\user\RegistrationSpamChecking;
+
+/**
+ * Checks for spammers during the registration using the data from Stop Forum Spam.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class RegistrationSpamCheckingSfsListener
+{
+    public function __invoke(RegistrationSpamChecking $event): void
+    {
+        if (!\BLACKLIST_SFS_ENABLE) {
+            return;
+        }
+
+        if (BlacklistEntry::getMatches($event->username, $event->email, $event->ipAddress) !== []) {
+            $event->preventDefault();
+        }
+    }
+}

From 0db6a2a3dd22dbbb02d101f9a919c42af6071156 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Thu, 30 May 2024 17:15:39 +0200
Subject: [PATCH 2/8] Move the settings for SFS to the anti-spam category

---
 com.woltlab.wcf/option.xml   | 16 +++++-----------
 wcfsetup/install/lang/de.xml |  2 --
 wcfsetup/install/lang/en.xml |  2 --
 3 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/com.woltlab.wcf/option.xml b/com.woltlab.wcf/option.xml
index 2a82335759e..12baa7070f8 100644
--- a/com.woltlab.wcf/option.xml
+++ b/com.woltlab.wcf/option.xml
@@ -166,17 +166,6 @@
 				<parent>security.general</parent>
 				<showorder>15</showorder>
 			</category>
-			<category name="security.blacklist">
-				<parent>security</parent>
-			</category>
-			<category name="security.blacklist.sfs">
-				<parent>security.blacklist</parent>
-				<showorder>1</showorder>
-			</category>
-			<category name="security.blacklist.custom">
-				<parent>security.blacklist</parent>
-				<showorder>2</showorder>
-			</category>
 			<category name="security.antispam">
 				<parent>security</parent>
 			</category>
@@ -186,6 +175,9 @@
 			<category name="security.antispam.recaptcha">
 				<parent>security.antispam</parent>
 			</category>
+			<category name="security.blacklist.sfs">
+				<parent>security.antispam</parent>
+			</category>
 			<category name="security.censorship">
 				<parent>security</parent>
 			</category>
@@ -1613,5 +1605,7 @@ DESC:wcf.global.sortOrder.descending</selectoptions>
 		<option name="article_enable_visit_tracking"/>
 		<option name="enable_woltlab_news"/>
 		<option name="users_online_record_no_guests"/>
+		<category name="security.blacklist"/>
+		<category name="security.blacklist.custom"/>
 	</delete>
 </data>
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 65827527d91..9d82c5af198 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -1324,7 +1324,6 @@ Die Entwickler-Lizenz gestattet ausschließlich den Einsatz während der Entwick
 		<item name="wcf.acp.option.category.module.community"><![CDATA[Community]]></item>
 		<item name="wcf.acp.option.category.module.customization"><![CDATA[Anpassung]]></item>
 		<item name="wcf.acp.option.category.security"><![CDATA[Sicherheit]]></item>
-		<item name="wcf.acp.option.category.security.blacklist"><![CDATA[Blacklist]]></item>
 		<item name="wcf.acp.option.category.security.general"><![CDATA[Allgemein]]></item>
 		<item name="wcf.acp.option.category.security.general.session"><![CDATA[Sitzungen]]></item>
 		<item name="wcf.acp.option.category.security.general.secrets"><![CDATA[Geheimschlüssel]]></item>
@@ -1717,7 +1716,6 @@ Als Benachrichtigungs-URL in der Konfiguration der sofortigen Zahlungsbestätigu
 		<item name="wcf.acp.option.contact_form_prune_attachments.description"><![CDATA[Alte Dateianhänge werden nach Ablauf der Frist automatisch gelöscht. [0, um die Löschung zu deaktivieren]]]></item>
 		<item name="wcf.acp.option.category.security.blacklist.sfs"><![CDATA[Stop Forum Spam]]></item>
 		<item name="wcf.acp.option.category.security.blacklist.sfs.description"><![CDATA[Datenschutzkonforme Überprüfung auf Basis einer lokalen Kopie der StopForumSpam.com-Datenbestände.]]></item>
-		<item name="wcf.acp.option.category.security.blacklist.custom"><![CDATA[Eigene Sperrlisten]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_enable"><![CDATA[Abgleich mit Stop Forum Spam aktivieren]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_enable.description"><![CDATA[Die lokale Datenbank enthält Informationen zur Häufigkeit, mit der ein Eintrag als Spammer gemeldet wurde.<br>
 <strong>Hinweis: Es werden zu keinem Zeitpunkt Daten an Drittseiten übertragen.</strong><br>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index d333dd79f69..3ebe7c18bd9 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -1302,7 +1302,6 @@ The developer license permits exclusively the use during the development as well
 		<item name="wcf.acp.option.category.module.community"><![CDATA[Community]]></item>
 		<item name="wcf.acp.option.category.module.customization"><![CDATA[Customization]]></item>
 		<item name="wcf.acp.option.category.security"><![CDATA[Security]]></item>
-		<item name="wcf.acp.option.category.security.blacklist"><![CDATA[Blacklist]]></item>
 		<item name="wcf.acp.option.category.security.general"><![CDATA[General]]></item>
 		<item name="wcf.acp.option.category.security.general.session"><![CDATA[Sessions]]></item>
 		<item name="wcf.acp.option.category.security.general.secrets"><![CDATA[Secret Keys]]></item>
@@ -1700,7 +1699,6 @@ When prompted for the notification URL for the instant payment notifications, pl
 		<item name="wcf.acp.option.contact_form_prune_attachments.description"><![CDATA[Older attachments are automatically removed to recover disk space. Use 0 to disable.]]></item>
 		<item name="wcf.acp.option.category.security.blacklist.sfs"><![CDATA[Stop Forum Spam]]></item>
 		<item name="wcf.acp.option.category.security.blacklist.sfs.description"><![CDATA[Privacy compliant verification based on a local copy of the StopForumSpam.com database.]]></item>
-		<item name="wcf.acp.option.category.security.blacklist.custom"><![CDATA[Own Blacklists]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_enable"><![CDATA[Enable the verification using Stop Forum Spam]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_enable.description"><![CDATA[The local database contains information about the number of times an entry was reported as a spammer.<br>
 <strong>Notice: No data is transferred to a third party service at any point in the process.</strong><br>

From f17d6d343655ef37579c79d4fecc17765e9c6c42 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Thu, 30 May 2024 17:30:28 +0200
Subject: [PATCH 3/8] Convert `BLACKLIST_SFS_ACTION` into a general option

---
 com.woltlab.wcf/option.xml                        | 15 ++++++++-------
 constants.php                                     |  2 +-
 .../install/files/lib/form/RegisterForm.class.php |  2 +-
 wcfsetup/install/files/lib/system/WCF.class.php   |  3 +++
 wcfsetup/install/lang/de.xml                      |  8 ++++----
 wcfsetup/install/lang/en.xml                      |  8 ++++----
 6 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/com.woltlab.wcf/option.xml b/com.woltlab.wcf/option.xml
index 12baa7070f8..3fdd560cbe5 100644
--- a/com.woltlab.wcf/option.xml
+++ b/com.woltlab.wcf/option.xml
@@ -652,13 +652,6 @@ moreThanOnce:wcf.acp.option.blacklist_sfs_enable.moreThanOnce
 simpleMatch:wcf.acp.option.blacklist_sfs_enable.simpleMatch]]></selectoptions>
 				<defaultvalue>90percentile</defaultvalue>
 			</option>
-			<option name="blacklist_sfs_action">
-				<categoryname>security.blacklist.sfs</categoryname>
-				<optiontype>select</optiontype>
-				<selectoptions><![CDATA[disable:wcf.acp.option.blacklist_sfs_action.disable
-block:wcf.acp.option.blacklist_sfs_action.block]]></selectoptions>
-				<defaultvalue>disable</defaultvalue>
-			</option>
 			<!-- /security.blacklist.stopforumspam -->
 			<!-- security.antispam.captcha -->
 			<option name="captcha_type">
@@ -1082,6 +1075,13 @@ XING</selectoptions>
 2:wcf.acp.option.register_activation_method.byAdmin
 3:wcf.acp.option.register_activation_method.byUserAndAdmin</selectoptions>
 			</option>
+			<option name="register_antispam_action">
+				<categoryname>user.register</categoryname>
+				<optiontype>select</optiontype>
+				<selectoptions><![CDATA[disable:wcf.acp.option.register_antispam_action.disable
+block:wcf.acp.option.register_antispam_action.block]]></selectoptions>
+				<defaultvalue>disable</defaultvalue>
+			</option>
 			<option name="register_username_min_length">
 				<categoryname>user.register</categoryname>
 				<optiontype>integer</optiontype>
@@ -1605,6 +1605,7 @@ DESC:wcf.global.sortOrder.descending</selectoptions>
 		<option name="article_enable_visit_tracking"/>
 		<option name="enable_woltlab_news"/>
 		<option name="users_online_record_no_guests"/>
+		<option name="blacklist_sfs_action"/>
 		<category name="security.blacklist"/>
 		<category name="security.blacklist.custom"/>
 	</delete>
diff --git a/constants.php b/constants.php
index 1bb51d0e497..a0aedad769b 100644
--- a/constants.php
+++ b/constants.php
@@ -117,6 +117,7 @@
 \define('REGISTER_USERNAME_MAX_LENGTH', 25);
 \define('REGISTER_USERNAME_FORCE_ASCII', 2);
 \define('REGISTER_MIN_USER_AGE', 0);
+\define('REGISTER_ANTISPAM_ACTION', 0);
 \define('GITHUB_PUBLIC_KEY', '');
 \define('GITHUB_PRIVATE_KEY', '');
 \define('TWITTER_PUBLIC_KEY', '');
@@ -214,7 +215,6 @@
 \define('BLACKLIST_SFS_USERNAME', '90percentile');
 \define('BLACKLIST_SFS_EMAIL_ADDRESS', 'moreThanOnce');
 \define('BLACKLIST_SFS_IP_ADDRESS', '90percentile');
-\define('BLACKLIST_SFS_ACTION', 'disable');
 \define('ENABLE_ENTERPRISE_MODE', 0);
 \define('MESSAGE_ENABLE_USER_CONSENT', 1);
 \define('MODIFICATION_LOG_EXPIRATION', 0);
diff --git a/wcfsetup/install/files/lib/form/RegisterForm.class.php b/wcfsetup/install/files/lib/form/RegisterForm.class.php
index 01d2a12e207..0d1e8e76722 100644
--- a/wcfsetup/install/files/lib/form/RegisterForm.class.php
+++ b/wcfsetup/install/files/lib/form/RegisterForm.class.php
@@ -218,7 +218,7 @@ public function validate()
 
         $this->spamCheckEvent = new RegistrationSpamChecking($this->username, $this->email, UserUtil::getIpAddress());
         EventHandler::getInstance()->fire($this->spamCheckEvent);
-        if ($this->spamCheckEvent->defaultPrevented() && BLACKLIST_SFS_ACTION === 'block') {
+        if ($this->spamCheckEvent->defaultPrevented() && \REGISTER_ANTISPAM_ACTION === 'block') {
             throw new NamedUserException(
                 WCF::getLanguage()->getDynamicVariable('wcf.user.register.error.blacklistMatches')
             );
diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php
index f7fe627d744..aa52e18efdb 100644
--- a/wcfsetup/install/files/lib/system/WCF.class.php
+++ b/wcfsetup/install/files/lib/system/WCF.class.php
@@ -499,6 +499,9 @@ protected function defineLegacyOptions(): void
         // The option to count guests in the online record was removed with version 6.1.
         // https://github.com/WoltLab/WCF/issues/5888
         \define('USERS_ONLINE_RECORD_NO_GUESTS', 1);
+
+        // The option for the SFS action has been converted into a general option with version 6.1.
+        \define('BLACKLIST_SFS_ACTION', 'disable');
     }
 
     /**
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 9d82c5af198..fbf5278562f 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -1737,10 +1737,10 @@ Die Datenbestände werden sorgfältig gepflegt, aber es ist nicht ausgeschlossen
 		<item name="wcf.acp.option.blacklist_sfs_email_address.description"><![CDATA[E-Mail-Adressen sind einzigartig und stellen eine solide Basis dar. Empfohlene Einstellung: <strong>Mehrfach gemeldet</strong>.]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_ip_address"><![CDATA[IP-Adresse]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_ip_address.description"><![CDATA[IP-Adressen sind insbesondere durch die dynamische Vergabe (z. B. Privatanschlüsse oder Mobilfunk) nur bedingt verlässlich. Empfohlene Einstellung: <strong>Top 10%</strong>.]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action"><![CDATA[Aktion bei Übereinstimmung]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.block"><![CDATA[Blockieren]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.description"><![CDATA[Es besteht immer das Risiko eines fehlerhaften Eintrages, daher wird die Einstellung <strong>Deaktivierung, erfordert manuelle Freischaltung</strong> ausdrücklich empfohlen.]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.disable"><![CDATA[Deaktivierung, erfordert manuelle Freischaltung]]></item>
+		<item name="wcf.acp.option.register_antispam_action"><![CDATA[Aktion bei Spam-Erkennung]]></item>
+		<item name="wcf.acp.option.register_antispam_action.block"><![CDATA[Registrierung blockieren]]></item>
+		<item name="wcf.acp.option.register_antispam_action.description"><![CDATA[Es besteht immer das Risiko einer fehlerhaften Spam-Erkennung, daher wird die Einstellung <strong>Registrierung erfordert manuelle Freischaltung</strong> ausdrücklich empfohlen.]]></item>
+		<item name="wcf.acp.option.register_antispam_action.disable"><![CDATA[Registrierung erfordert manuelle Freischaltung]]></item>
 		<item name="wcf.acp.option.message_enable_user_consent"><![CDATA[Inhalte von externen Anbietern erst nach Zustimmung anzeigen]]></item>
 		<item name="wcf.acp.option.modification_log_expiration"><![CDATA[Speicherzeit für Änderungen]]></item>
 		<item name="wcf.acp.option.modification_log_expiration.description"><![CDATA[Zeitraum, nachdem alte Änderungen aus dem Änderungsprotokoll entfernt werden [0, um die Entfernung gänzlich zu deaktivieren]]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index 3ebe7c18bd9..42d17245628 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -1720,10 +1720,10 @@ The database is carefully maintained, but there will be always be a margin of er
 		<item name="wcf.acp.option.blacklist_sfs_email_address.description"><![CDATA[Email addresses are unique and yield the best results. Recommended setting: <strong>Multiple reports</strong>.]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_ip_address"><![CDATA[IP Address]]></item>
 		<item name="wcf.acp.option.blacklist_sfs_ip_address.description"><![CDATA[IP addresses are more likely to be imprecise, because a lot of them are dynamically assigned, e. g. for private households or cellular connections. Recommended setting: <strong>Top 10%</strong>.]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action"><![CDATA[Action in Case of a Match]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.block"><![CDATA[Block]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.description"><![CDATA[There is always the risk of a false-positive match, therefore it is highly recommended to set it to <strong>Disable and require manual approval</strong>.]]></item>
-		<item name="wcf.acp.option.blacklist_sfs_action.disable"><![CDATA[Disable and require manual approval]]></item>
+		<item name="wcf.acp.option.register_antispam_action"><![CDATA[Action in Case of Spam Detection]]></item>
+		<item name="wcf.acp.option.register_antispam_action.block"><![CDATA[Block]]></item>
+		<item name="wcf.acp.option.register_antispam_action.description"><![CDATA[There is always the risk of a false-positive match, therefore it is highly recommended to set it to <strong>Disable and require manual approval</strong>.]]></item>
+		<item name="wcf.acp.option.register_antispam_action.disable"><![CDATA[Disable and require manual approval]]></item>
 		<item name="wcf.acp.option.message_enable_user_consent"><![CDATA[Prompt users before displaying content from external sources]]></item>
 		<item name="wcf.acp.option.modification_log_expiration"><![CDATA[Storage Time for Modification Logs]]></item>
 		<item name="wcf.acp.option.modification_log_expiration.description"><![CDATA[Modification logs will be removed after the following days. Use 0 to disable.]]></item>

From 8f77557a315411798621c7ad8effa35196cd7b80 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Thu, 30 May 2024 18:05:09 +0200
Subject: [PATCH 4/8] Use an event for the spam check in the contact form

---
 .../files/lib/bootstrap/com.woltlab.wcf.php   |  4 +++
 .../page/ContactFormSpamChecking.class.php    | 26 +++++++++++++++++
 .../files/lib/form/ContactForm.class.php      | 19 ++++++-------
 ...ntactFormSpamCheckingSfsListener.class.php | 28 +++++++++++++++++++
 4 files changed, 67 insertions(+), 10 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
 create mode 100644 wcfsetup/install/files/lib/system/event/listener/ContactFormSpamCheckingSfsListener.class.php

diff --git a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
index 1c29b4a72a7..6f51b916cd5 100644
--- a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
+++ b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
@@ -37,6 +37,10 @@ static function (\wcf\event\session\PreserveVariablesCollecting $event) {
         \wcf\event\user\RegistrationSpamChecking::class,
         \wcf\system\event\listener\RegistrationSpamCheckingSfsListener::class
     );
+    $eventHandler->register(
+        \wcf\event\page\ContactFormSpamChecking::class,
+        \wcf\system\event\listener\ContactFormSpamCheckingSfsListener::class
+    );
 
     $eventHandler->register(
         \wcf\event\package\PackageListChanged::class,
diff --git a/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php b/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
new file mode 100644
index 00000000000..718329b2496
--- /dev/null
+++ b/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace wcf\event\page;
+
+use wcf\event\IInterruptableEvent;
+use wcf\event\TInterruptableEvent;
+
+/**
+ * Indicates that a new contact form message is currently validated. If this event is interrupted,
+ * the message is considered to be spam.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class ContactFormSpamChecking implements IInterruptableEvent
+{
+    use TInterruptableEvent;
+
+    public function __construct(
+        public readonly string $email,
+        public readonly string $ipAddress,
+    ) {
+    }
+}
diff --git a/wcfsetup/install/files/lib/form/ContactForm.class.php b/wcfsetup/install/files/lib/form/ContactForm.class.php
index 5e04a5e4dbe..6a8fda89669 100644
--- a/wcfsetup/install/files/lib/form/ContactForm.class.php
+++ b/wcfsetup/install/files/lib/form/ContactForm.class.php
@@ -2,11 +2,12 @@
 
 namespace wcf\form;
 
-use wcf\data\blacklist\entry\BlacklistEntry;
 use wcf\data\contact\option\ContactOptionAction;
 use wcf\data\contact\recipient\ContactRecipientList;
+use wcf\event\page\ContactFormSpamChecking;
 use wcf\system\attachment\AttachmentHandler;
 use wcf\system\email\Mailbox;
+use wcf\system\event\EventHandler;
 use wcf\system\exception\IllegalLinkException;
 use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\UserInputException;
@@ -169,15 +170,13 @@ public function validate()
             }
         }
 
-        if (BLACKLIST_SFS_ENABLE) {
-            $matches = BlacklistEntry::getMatches(
-                '',
-                $this->email,
-                UserUtil::getIpAddress()
-            );
-            if ($matches !== [] && BLACKLIST_SFS_ACTION === 'block') {
-                throw new PermissionDeniedException();
-            }
+        $spamCheckEvent = new ContactFormSpamChecking(
+            $this->email,
+            UserUtil::getIpAddress(),
+        );
+        EventHandler::getInstance()->fire($spamCheckEvent);
+        if ($spamCheckEvent->defaultPrevented()) {
+            throw new PermissionDeniedException();
         }
     }
 
diff --git a/wcfsetup/install/files/lib/system/event/listener/ContactFormSpamCheckingSfsListener.class.php b/wcfsetup/install/files/lib/system/event/listener/ContactFormSpamCheckingSfsListener.class.php
new file mode 100644
index 00000000000..a26c4ce9f8f
--- /dev/null
+++ b/wcfsetup/install/files/lib/system/event/listener/ContactFormSpamCheckingSfsListener.class.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace wcf\system\event\listener;
+
+use wcf\data\blacklist\entry\BlacklistEntry;
+use wcf\event\page\ContactFormSpamChecking;
+
+/**
+ * Checks for spammers during the usage of the contact form using the data from Stop Forum Spam.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class ContactFormSpamCheckingSfsListener
+{
+    public function __invoke(ContactFormSpamChecking $event): void
+    {
+        if (!\BLACKLIST_SFS_ENABLE) {
+            return;
+        }
+
+        if (BlacklistEntry::getMatches('', $event->email, $event->ipAddress) !== []) {
+            $event->preventDefault();
+        }
+    }
+}

From 55d0361173dd2c1159461dd187f583bda3cce6bf Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Thu, 30 May 2024 18:29:04 +0200
Subject: [PATCH 5/8] Use an event for the spam check in message forms

---
 .../files/lib/bootstrap/com.woltlab.wcf.php   |  4 ++
 .../message/MessageSpamChecking.class.php     | 30 +++++++++++++
 .../files/lib/form/MessageForm.class.php      | 21 +++++++++
 .../MessageSpamCheckingSfsListener.class.php  | 44 +++++++++++++++++++
 4 files changed, 99 insertions(+)
 create mode 100644 wcfsetup/install/files/lib/event/message/MessageSpamChecking.class.php
 create mode 100644 wcfsetup/install/files/lib/system/event/listener/MessageSpamCheckingSfsListener.class.php

diff --git a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
index 6f51b916cd5..722d25b6bf5 100644
--- a/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
+++ b/wcfsetup/install/files/lib/bootstrap/com.woltlab.wcf.php
@@ -41,6 +41,10 @@ static function (\wcf\event\session\PreserveVariablesCollecting $event) {
         \wcf\event\page\ContactFormSpamChecking::class,
         \wcf\system\event\listener\ContactFormSpamCheckingSfsListener::class
     );
+    $eventHandler->register(
+        \wcf\event\message\MessageSpamChecking::class,
+        \wcf\system\event\listener\MessageSpamCheckingSfsListener::class
+    );
 
     $eventHandler->register(
         \wcf\event\package\PackageListChanged::class,
diff --git a/wcfsetup/install/files/lib/event/message/MessageSpamChecking.class.php b/wcfsetup/install/files/lib/event/message/MessageSpamChecking.class.php
new file mode 100644
index 00000000000..82effb222fd
--- /dev/null
+++ b/wcfsetup/install/files/lib/event/message/MessageSpamChecking.class.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace wcf\event\message;
+
+use wcf\data\user\User;
+use wcf\event\IInterruptableEvent;
+use wcf\event\TInterruptableEvent;
+use wcf\system\html\input\HtmlInputProcessor;
+
+/**
+ * Indicates that a new message by a user is currently validated. If this event is interrupted,
+ * the message is considered to be spam.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class MessageSpamChecking implements IInterruptableEvent
+{
+    use TInterruptableEvent;
+
+    public function __construct(
+        public readonly HtmlInputProcessor $processor,
+        public readonly ?User $user = null,
+        public readonly string $ipAddress = '',
+        public readonly string $subject = '',
+    ) {
+    }
+}
diff --git a/wcfsetup/install/files/lib/form/MessageForm.class.php b/wcfsetup/install/files/lib/form/MessageForm.class.php
index 6ef0400cf58..332da7da8f0 100644
--- a/wcfsetup/install/files/lib/form/MessageForm.class.php
+++ b/wcfsetup/install/files/lib/form/MessageForm.class.php
@@ -6,8 +6,10 @@
 use wcf\data\smiley\category\SmileyCategory;
 use wcf\data\smiley\Smiley;
 use wcf\data\smiley\SmileyCache;
+use wcf\event\message\MessageSpamChecking;
 use wcf\system\attachment\AttachmentHandler;
 use wcf\system\bbcode\BBCodeHandler;
+use wcf\system\event\EventHandler;
 use wcf\system\exception\UserInputException;
 use wcf\system\html\input\HtmlInputProcessor;
 use wcf\system\html\upcast\HtmlUpcastProcessor;
@@ -16,6 +18,7 @@
 use wcf\system\WCF;
 use wcf\util\MessageUtil;
 use wcf\util\StringUtil;
+use wcf\util\UserUtil;
 
 /**
  * MessageForm is an abstract form implementation for a message with optional captcha support.
@@ -347,4 +350,22 @@ public function assignVariables()
             'tmpHash' => $this->tmpHash,
         ]);
     }
+
+    /**
+     * This method triggers the event for the spam check and returns the result.
+     *
+     * @since 6.1
+     */
+    protected function messageIsProbablySpam(): bool
+    {
+        $event = new MessageSpamChecking(
+            $this->htmlInputProcessor,
+            WCF::getUser()->userID ? WCF::getUser() : null,
+            UserUtil::getIpAddress(),
+            $this->subject,
+        );
+        EventHandler::getInstance()->fire($event);
+
+        return $event->defaultPrevented();
+    }
 }
diff --git a/wcfsetup/install/files/lib/system/event/listener/MessageSpamCheckingSfsListener.class.php b/wcfsetup/install/files/lib/system/event/listener/MessageSpamCheckingSfsListener.class.php
new file mode 100644
index 00000000000..3b51d828e6f
--- /dev/null
+++ b/wcfsetup/install/files/lib/system/event/listener/MessageSpamCheckingSfsListener.class.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace wcf\system\event\listener;
+
+use wcf\data\blacklist\entry\BlacklistEntry;
+use wcf\event\message\MessageSpamChecking;
+use wcf\system\cache\runtime\UserProfileRuntimeCache;
+
+/**
+ * Checks for spam messages using data from Stop Forum Spam.
+ *
+ * @author      Marcel Werk
+ * @copyright   2001-2024 WoltLab GmbH
+ * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @since       6.1
+ */
+final class MessageSpamCheckingSfsListener
+{
+    public function __invoke(MessageSpamChecking $event): void
+    {
+        if (!\BLACKLIST_SFS_ENABLE) {
+            return;
+        }
+
+        if ($event->user !== null) {
+            // Skip spam check for admins and moderators
+            $userProfile = UserProfileRuntimeCache::getInstance()->getObject($event->user->userID);
+            if (
+                $userProfile->getPermission('admin.general.canUseAcp')
+                || $userProfile->getPermission('mod.general.canUseModeration')
+            ) {
+                return;
+            }
+        }
+
+        if (BlacklistEntry::getMatches(
+            $event->user ? $event->user->username : '',
+            $event->user ? $event->user->email : '',
+            $event->ipAddress,
+        ) !== []) {
+            $event->preventDefault();
+        }
+    }
+}

From 05734c7f5b4fc72b6ccd49ac804ba4fa1ff33bc6 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Fri, 31 May 2024 17:41:26 +0200
Subject: [PATCH 6/8] Reintroduce option to save blacklist matches for a user

---
 .../user/RegistrationSpamChecking.class.php   | 24 +++++++++++++++----
 .../files/lib/form/RegisterForm.class.php     | 11 +++++----
 ...istrationSpamCheckingSfsListener.class.php |  4 ++--
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php b/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
index fd1fbf309b4..8137512020e 100644
--- a/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
+++ b/wcfsetup/install/files/lib/event/user/RegistrationSpamChecking.class.php
@@ -2,11 +2,10 @@
 
 namespace wcf\event\user;
 
-use wcf\event\IInterruptableEvent;
-use wcf\event\TInterruptableEvent;
+use wcf\event\IPsr14Event;
 
 /**
- * Indicates that a registration by a new user is currently validated. If this event is interrupted,
+ * Indicates that a registration by a new user is currently validated. If $matches is not empty,
  * the registration is considered to be a spammer or an undesirable user.
  *
  * @author      Marcel Werk
@@ -14,9 +13,9 @@
  * @license     GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
  * @since       6.1
  */
-final class RegistrationSpamChecking implements IInterruptableEvent
+final class RegistrationSpamChecking implements IPsr14Event
 {
-    use TInterruptableEvent;
+    private array $matches = [];
 
     public function __construct(
         public readonly string $username,
@@ -24,4 +23,19 @@ public function __construct(
         public readonly string $ipAddress
     ) {
     }
+
+    public function hasMatches(): bool
+    {
+        return $this->matches !== [];
+    }
+
+    public function addMatch(string $key): void
+    {
+        $this->matches[$key] = $key;
+    }
+
+    public function getMatches(): array
+    {
+        return \array_values($this->matches);
+    }
 }
diff --git a/wcfsetup/install/files/lib/form/RegisterForm.class.php b/wcfsetup/install/files/lib/form/RegisterForm.class.php
index 0d1e8e76722..8b619abfb46 100644
--- a/wcfsetup/install/files/lib/form/RegisterForm.class.php
+++ b/wcfsetup/install/files/lib/form/RegisterForm.class.php
@@ -218,7 +218,7 @@ public function validate()
 
         $this->spamCheckEvent = new RegistrationSpamChecking($this->username, $this->email, UserUtil::getIpAddress());
         EventHandler::getInstance()->fire($this->spamCheckEvent);
-        if ($this->spamCheckEvent->defaultPrevented() && \REGISTER_ANTISPAM_ACTION === 'block') {
+        if ($this->spamCheckEvent->hasMatches() && \REGISTER_ANTISPAM_ACTION === 'block') {
             throw new NamedUserException(
                 WCF::getLanguage()->getDynamicVariable('wcf.user.register.error.blacklistMatches')
             );
@@ -408,7 +408,7 @@ public function save()
         // generate activation code
         $addDefaultGroups = true;
         if (
-            $this->spamCheckEvent->defaultPrevented()
+            $this->spamCheckEvent->hasMatches()
             || (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && !$registerVia3rdParty)
             || (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN)
         ) {
@@ -426,6 +426,7 @@ public function save()
                 'username' => $this->username,
                 'email' => $this->email,
                 'password' => $this->password,
+                'blacklistMatches' => $this->spamCheckEvent->hasMatches() ? JSON::encode($this->spamCheckEvent->getMatches()) : '',
                 'signatureEnableHtml' => 1,
             ]),
             'groups' => $this->groupIDs,
@@ -442,11 +443,11 @@ public function save()
         WCF::getSession()->changeUser($user);
 
         // activation management
-        if (REGISTER_ACTIVATION_METHOD == User::REGISTER_ACTIVATION_NONE && !$this->spamCheckEvent->defaultPrevented()) {
+        if (REGISTER_ACTIVATION_METHOD == User::REGISTER_ACTIVATION_NONE && !$this->spamCheckEvent->hasMatches()) {
             $this->message = 'wcf.user.register.success';
 
             UserGroupAssignmentHandler::getInstance()->checkUsers([$user->userID]);
-        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && !$this->spamCheckEvent->defaultPrevented()) {
+        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_USER && !$this->spamCheckEvent->hasMatches()) {
             // registering via 3rdParty leads to instant activation
             if ($registerVia3rdParty) {
                 $this->message = 'wcf.user.register.success';
@@ -463,7 +464,7 @@ public function save()
                 $email->send();
                 $this->message = 'wcf.user.register.success.needActivation';
             }
-        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN || $this->spamCheckEvent->defaultPrevented()) {
+        } elseif (REGISTER_ACTIVATION_METHOD & User::REGISTER_ACTIVATION_ADMIN || $this->spamCheckEvent->hasMatches()) {
             $this->message = 'wcf.user.register.success.awaitActivation';
         }
 
diff --git a/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php b/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php
index 03110c4a0aa..4f58c320ca9 100644
--- a/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php
+++ b/wcfsetup/install/files/lib/system/event/listener/RegistrationSpamCheckingSfsListener.class.php
@@ -21,8 +21,8 @@ public function __invoke(RegistrationSpamChecking $event): void
             return;
         }
 
-        if (BlacklistEntry::getMatches($event->username, $event->email, $event->ipAddress) !== []) {
-            $event->preventDefault();
+        foreach (BlacklistEntry::getMatches($event->username, $event->email, $event->ipAddress) as $match) {
+            $event->addMatch($match);
         }
     }
 }

From 38cc47a0215fccb80d374489a9f25c6ee344f834 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Fri, 31 May 2024 17:49:26 +0200
Subject: [PATCH 7/8] Use spam check event for comments

---
 .../lib/data/comment/CommentAction.class.php  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/wcfsetup/install/files/lib/data/comment/CommentAction.class.php b/wcfsetup/install/files/lib/data/comment/CommentAction.class.php
index 36c4e0197a7..a8fa98041ad 100644
--- a/wcfsetup/install/files/lib/data/comment/CommentAction.class.php
+++ b/wcfsetup/install/files/lib/data/comment/CommentAction.class.php
@@ -12,10 +12,12 @@
 use wcf\data\object\type\ObjectType;
 use wcf\data\object\type\ObjectTypeCache;
 use wcf\data\user\User;
+use wcf\event\message\MessageSpamChecking;
 use wcf\system\bbcode\BBCodeHandler;
 use wcf\system\captcha\CaptchaHandler;
 use wcf\system\comment\CommentHandler;
 use wcf\system\comment\manager\ICommentManager;
+use wcf\system\event\EventHandler;
 use wcf\system\exception\NamedUserException;
 use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\SystemException;
@@ -36,6 +38,7 @@
 use wcf\system\WCF;
 use wcf\util\MessageUtil;
 use wcf\util\UserRegistrationUtil;
+use wcf\util\UserUtil;
 
 /**
  * Executes comment-related actions.
@@ -403,6 +406,16 @@ public function validateAddComment()
         if (!$this->commentProcessor->canAdd($this->parameters['data']['objectID'])) {
             throw new PermissionDeniedException();
         }
+
+        $event = new MessageSpamChecking(
+            $this->parameters['htmlInputProcessor'],
+            WCF::getUser()->userID ? WCF::getUser() : null,
+            UserUtil::getIpAddress(),
+        );
+        EventHandler::getInstance()->fire($event);
+        if ($event->defaultPrevented()) {
+            throw new PermissionDeniedException();
+        }
     }
 
     /**
@@ -564,6 +577,16 @@ public function validateAddResponse()
 
         $this->validateGetGuestDialog();
         $this->validateMessage(true);
+
+        $event = new MessageSpamChecking(
+            $this->parameters['htmlInputProcessor'],
+            WCF::getUser()->userID ? WCF::getUser() : null,
+            UserUtil::getIpAddress(),
+        );
+        EventHandler::getInstance()->fire($event);
+        if ($event->defaultPrevented()) {
+            throw new PermissionDeniedException();
+        }
     }
 
     /**

From 9334f30360afa2babe08648d957f16a7ed8b7f24 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Sat, 1 Jun 2024 13:11:06 +0200
Subject: [PATCH 8/8] Make messages from the contact form available to the spam
 checking

---
 .../page/ContactFormSpamChecking.class.php    |  1 +
 .../files/lib/form/ContactForm.class.php      | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php b/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
index 718329b2496..b744442090b 100644
--- a/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
+++ b/wcfsetup/install/files/lib/event/page/ContactFormSpamChecking.class.php
@@ -21,6 +21,7 @@ final class ContactFormSpamChecking implements IInterruptableEvent
     public function __construct(
         public readonly string $email,
         public readonly string $ipAddress,
+        public readonly array $messages,
     ) {
     }
 }
diff --git a/wcfsetup/install/files/lib/form/ContactForm.class.php b/wcfsetup/install/files/lib/form/ContactForm.class.php
index 6a8fda89669..3e3547bc51c 100644
--- a/wcfsetup/install/files/lib/form/ContactForm.class.php
+++ b/wcfsetup/install/files/lib/form/ContactForm.class.php
@@ -2,6 +2,7 @@
 
 namespace wcf\form;
 
+use wcf\data\contact\option\ContactOption;
 use wcf\data\contact\option\ContactOptionAction;
 use wcf\data\contact\recipient\ContactRecipientList;
 use wcf\event\page\ContactFormSpamChecking;
@@ -170,9 +171,29 @@ public function validate()
             }
         }
 
+        $this->handleSpamCheck();
+    }
+
+    private function handleSpamCheck(): void
+    {
+        $messages = [];
+        foreach ($this->optionHandler->getOptions() as $option) {
+            $object = $option['object'];
+            \assert($object instanceof ContactOption);
+            if (!$object->isMessage || !$object->getOptionValue()) {
+                continue;
+            }
+
+            $messages[] = $object->getOptionValue();
+            if ($object->optionType === 'date' && !$object->getOptionValue()) {
+                continue;
+            }
+        }
+
         $spamCheckEvent = new ContactFormSpamChecking(
             $this->email,
             UserUtil::getIpAddress(),
+            $messages,
         );
         EventHandler::getInstance()->fire($spamCheckEvent);
         if ($spamCheckEvent->defaultPrevented()) {