Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HoneyPot Captcha


Jack_mcs

Recommended Posts

Testing Version 1.6 on my PHP 7.2  XAMPP test site and get this error when attempting to create a legitimate account.

1048 - Column 'ip_number' cannot be null

insert into honeypot_track set count = '1', ip_number = INET_ATON( '::1' ), last_date = now()

[TEP STOP]

Edited by mhsuffolk

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

It's failing because you have the option to use the IPV6 format enabled. I may put a check in for what type of IP it is but I don't know that I will be changing the code to accept them. IPV6 IP's are still not used much so I don't find it worthwhile, time-wise, to code for them.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

All of the wamp packages come with IPV6 set to on, at least the newer ones do. As far as I know, no host enables that as the default (we don't, at least). To turn it off, open the http.conf file and search for Listen. The lines should look like this to turn IPV6 off:

Listen 0.0.0.0:80
#Listen [::0]:80

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

You might want to read this article on CAPTCHAs: https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence . It states that AI is expected to improve to the point that it will solve any CAPTCHA puzzle much better than humans can. It's just about there, already. The emphasis will have to shift from how perfectly the "user" can solve a problem to watching how very human imperfections and randomness in the interaction betray who is human. Also, rather than relying on a one-time hard-shell defense against bots, we will have to watch users in their interactions with a site and see if they're doing bot-like things. Big Brother, anyone? The article points out that Third World CAPTCHA farms use people to sign up for forums and blogs, etc., which then can be handed over to bots to do the spamming. This would require monitoring of the user interactions beyond just the signup, such as an occasional CAPTCHA challenge from time to time. If most spammers crap on your forum just once (or use your tell-a-friend function for one mass mailing) and then never come back, that may be more annoying than useful.

The comments are rather interesting too. Several people pointed out that the reCAPTCHA emphasis on traffic lights and street signs and vehicle recognition suggests that we are being used to train Google's self-driving cars -- for free.

Link to comment
Share on other sites

@MrPhilThanks for the link. It finally offers a reasonable explanation as to why fake accounts are becoming a common thing. I don't think there is any code that can stop all of them unless some check is added and that is a bother to real customers.

But for this addon, their scripts can't get by the contact us and create account pages because those checks are done in php. Although for the create account page, if the settings are strict, like one account allowed, then it might affect legitimate customers. 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

Hi Jack,

Just attempting a new install of v1.6 on a CE store. Forgive me if i'm having a blond moment. I notice some discrepancies between instructions 3 & 4 in the ReadMe.txt and the files in "v234\ChangedFiles". There are additional bits of code in the files not in the ReadMe.txt.

One example is in the contact_us.php file, on line 24 to 34:

/*** BEGIN HONEYPOT ***/
    if (MODULE_HEADER_TAGS_HONEYPOT_ALLOW_EMAIL == 'False' || MODULE_HEADER_TAGS_HONEYPOT_ALLOW_URLS == 'False') {
        include('includes/functions/honeypot.php'); 
        if (($reslt = InvalidText($enquiry)) != 'good') {
            if ($reslt != 'failed') {
                $messageStack->add('contact', $reslt);
            }    
            $error = true;
        } 
    }
    /*** END HONEYPOT ***/  

This part of code is not mentioned in the ReadMe.txt.

Please can you confirm, am i ok to go with the instructions in the ReadMe.txt and ignore the changed files?

 

Link to comment
Share on other sites

3 hours ago, Pritchard78 said:

Please can you confirm, am i ok to go with the instructions in the ReadMe.txt and ignore the changed files?

I apologize for the confusion this caused. Yes, that file change is needed. The changed files will always be correct. I try to supply installation instructions but they don't always match. Here are the instructions from the, unreleased, next version:

3) In the contact_us.php file,

FIND:

    if (!tep_validate_email($email_address)) {

ADD ABOVE:

    /*** BEGIN HONEYPOT ***/
    if (MODULE_HEADER_TAGS_HONEYPOT_ALLOW_EMAIL == 'False' || MODULE_HEADER_TAGS_HONEYPOT_ALLOW_URLS == 'False') {
        include('includes/functions/honeypot.php');
        if (($reslt = InvalidText($enquiry)) != 'good') {
            if ($reslt != 'failed') {
                $messageStack->add('contact', $reslt);
            }
            $error = true;
        }
    }
    /*** END HONEYPOT ***/

FIND:

<?php echo tep_draw_form('contact_us', tep_href_link('contact_us.php', 'action=send'), 'post', 'class="form-horizontal"', true); ?>

REPLACE WITH:

<?php //BEGIN HONEYPOT ?>
<?php echo tep_draw_form('contact_us', tep_href_link('contact_us.php', 'action=send'), 'post', ' onsubmit="return validateMyForm();" class="form-horizontal"', true); ?>
<?php //END HONEYPOT ?>

FIND:

  <div class="buttonSet">

ADD ABOVE IT:

  <?php //BEGIN HONEYPOT ?>
  <div style="display:none;">
    <label>Keep this field blank</label>
    <input type="text" name="honeypot" id="honeypot" />
  </div>
  <?php //END HONEYPOT ?>

-----------------------------------------------------------------
4) In the create_acccount.php file,

FIND:

    if ($error == false) {

ADD ABOVE:

    /***** Begin Honey Pot *****/
    if ($error == false) {
        if (defined('MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_CHECK') && MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_CHECK == 'True') {
            include('includes/languages/' . $language . '/modules/header_tags/ht_honeypot.php');
            include('includes/functions/honeypot.php');
            $cust = $firstname . ' ' . $lastname;
            $error = CheckCreateAccountHP($cust);
            if ($error) {
                $messageStack->add('create_account', MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_TOO_SOON);
            }
        }
    }
    /***** End Honey Pot *****/

FIND:

<?php echo tep_draw_form('create_account', tep_href_link('create_account.php', '', 'SSL'), 'post', 'class="form-horizontal"', true) . tep_draw_hidden_field('action', 'process'); ?>

REPLACE WITH:

<?php //BOC Honeypot ?>
<?php echo tep_draw_form('create_account', tep_href_link('create_account.php', '', 'SSL'), 'post', 'class="form-horizontal" onSubmit="return validateMyForm(create_account);"', true) . tep_draw_hidden_field('action', 'process'); ?>
<?php //EOC Honeypot ?>

FIND:

  <div class="buttonSet">

ADD ABOVE:

<!-- BOC Honeypot -->
  <div style="display:none;">
   <label>Keep this field blank</label>
   <input type="text" name="honeypot" id="honeypot" />
  </div>
<!-- EOC Honeypot -->

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 1 month later...

Hello,

I'm getting a few spams that got through with just one character and also long junk strings like this

+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%

Also what is best way to add an array of domains to block, such as domain.com, example.com, etc. 

Thank you for the help!

 

 

Link to comment
Share on other sites

24 minutes ago, mcbsolutions said:

I'm getting a few spams that got through with just one character and also long junk strings like this

That string  is trying to access your database. If it was submitted via the contact us page there's no danger from it.  But if it was sent from the create account page, it might cause problems.

Honeypot can't block the message because it is legitimate. There's not an option to block for specific text. You can use the account limit setting to prevent additional accounts so that will only allow one through.

I have a new version that I am going to try and get uploaded soon. It may help with emails like this.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

A new version has been uploaded with these changes.

  • Added an ignore IP setting so shop owners can create multiple accounts.
  • Added the account_pwa.php file for those with the Purchase Without Account addon installed.
  • Added code to the contact us page to check for violations of the Honey Pot form.
  • Added an option to prevent emails containing certain words.
  • Changed the notification code and option so emails can be sent for every account creation.

For shops with a previous version installed that uses the module, be sure to uninstall the module before updating to avoid database problems.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 weeks later...

Jack,  In 2 last lines in the SQL given gives my database an error:

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())");
insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());

Syntax ?

Link to comment
Share on other sites

8 minutes ago, Jack_mcs said:

What is the error?

What version of oscommerce are you using?

What version of php are you using?

V2.3.4    PHP 7.0

Static analysis:

3 errors were found during analysis.

 

  1. Ending quote " was expected. (near "" at position 690)
  2. Unexpected token. (near ""); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());" at position 339)
  3. Unexpected beginning of statement. (near ""); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());" at position 339)

 

SQL query:

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())"); insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Bad Words', 'MODULE_HEADER_TAGS_HONEYPOT_BAD_WORDS', '', 'Enter a comma separated list of words that are not allowed.', '1', '109', 'tep_cfg_textarea(', now());

MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '");
insert into configuration (configuration_title, configuration_key, configur' at line 1

 

Link to comment
Share on other sites

1 hour ago, Boldman said:

V2.3.4    PHP 7.0

The error is caused by a mistake in the changes for older shops that can't use modules. I don't have a V2.3.4 shop to test but I think it can use modules so you should not be using that code. But for those that have the problem, change the following. But note, if your shop uses the module, making this change will cause problems. 

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now())");

to

insert into configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Exclude IP\'s', 'MODULE_HEADER_TAGS_HONEYPOT_EXCLUDE_IPS', '', 'A comma-separated list of IP\'s that are not blocked by the create account checks.', '1', '108', now());

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 months later...

A change was mentioned in Fake Accounts thread to check TOR IP's, which are often used by spammers and hackers. The code to make this change is below. I will add it to the next release once I have time to add a setting and package it. To use it now, open the includes/functions/honeypot.php file and find this line:

$db_table = 'honeypot_track'; 

and add this above it:

    if (CheckTOR()) {
        return true;
    }

Then at the end of the file, add this

function CheckTOR() {
    $ips = file("https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1");
    $found = false;
    foreach ($ips as $ip) {
        if (strpos($ip, $_SERVER['REMOTE_ADDR']) !== FALSE) {
            $found = true;
            break;
        } 
    } 
    return $found;
} 

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 2 weeks later...

Is it possible to extend the module by including a filter to catch domain names used by spammers for emails, i.e. similar to the bad words filter but for account creation rather than contact form? The same domain names seem to be used over and over again.

Link to comment
Share on other sites

35 minutes ago, rule said:

Is it possible to extend the module by including a filter to catch domain names used by spammers for emails, i.e. similar to the bad words filter but for account creation rather than contact form?

Yes, it is possible. I have done that in the pro version of View Counter. I may make the change in this one but it is not a quick change so I don't know when, or if, that will be due to time constraints.

Usually, in my experience, these people creating fake accounts have more than one IP address so blocking one may be a waste of time. You can generally tell if that is the case by checking the WhoIs for the IP. When you do that, you will see an IP Range and/or CIDR listed. Those are short-hand methods for all IP's associated to that one IP. Using one of those to block maybe help. However, you have to be careful since the IP range may include legitimate IP's so you may end up blocking potential customers. You have compare where the IP is from and whether you would hurt the shop by blocking people from that location. 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi Jack, I have just installed this on osCommerce Online Merchant v2.3.4.1 CE aka Frozen BS and when I enter a word in the bad word area and click save the bad words not saved

I also added the extra TOR IP's part as per above

Can you please assist

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...