HoneyPot Captcha

[Jack_mcs]

This isn't a question that should be asked in a support thread. You may want to open a new one. But I'll reply to it just this once.  If you renamed the file create_account.BAK.php, it is still usable. If it was renamed create_account.php.BAK, it wouldn't be. But there is also the possibility the Purchase Without Account addon is installed and it may use its own create account file. Or the hacker has gained access to the database, or admin if create orders is installed, and did it that way. There are probably other possibilities but without knowing more about the site, I can't say.

[douglaswalker]

Hi there

I have been trying out the honeypot on my site and have it set up with not allowing urls.

I have tested it and if I try to use a url it is blocked

However this morning I received spam with urls in it.

I am a bit puzzled.

i wondered if you could offer any ideas as to what may be going on.

 

Doug

 

[douglaswalker]

Did a bit more investigating

When I turned of Java Script I could add urls to my enquiry and the email was sent.

Is this as expected or have I missed something

Warm regards

Doug

[Jack_mcs]

@douglaswalker The settings you mention only apply to the contact us page. If you have made the required change to the contact us page then even if the javascript code was not added to the site, it would stop those emails since the php in the code is checking the message. So it sounds like you may have missed that change.

[douglaswalker]

Hi there

you are exactly right I missed the folder with the upgrade instruction

My apologies

All is now working. Thank-you for your quick answer

I will look a bit more carefully next time

Doug

 

[greasemonkey]

@Jack_mcs hey Jack, I'm trying this addon out to help reduce a number of spam accounts being created - and hoping not to have to resort to a captcha solution.

So far it hasn't help this specific spammer - he's skipping the new hidden field. I presume it will help prevent future spammers however......

I'm wondering if changing your code around slightly may work?

So far, every spam account is created has the company name "google" - all lower case without the quotes.

Do you think adding an id=google to the company entry could work (I have no worry Google not my customer... lol) and if so - how could I validate that is says google?

<script type="text/javascript">
function validateMyForm(create_account) {
  var ok = check_form(create_account);
  if (! ok) return false;
  return IsSpammer();
}       
function IsSpammer() {
  if(!document.getElementById("google").value) {   // The field is empty, submit the form.
    return true;
  } else {   // the field has a value it's a spam bot
    return false;
  } 
} 
</script>

 

[Jack_mcs]

That wouldn't work as it is. The getElementById( function is checking this line

<input type="text" name="honeypot" id="honeypot" />

The id in that line is honeypot and your change is telling the code to look at the line that has an id of google. So if you want to make that change you would need to change the above to

<input type="text" name="honeypot" id="google" />

But I think what you want to do is check for the company so change this

  if(!document.getElementById("honeypot").value) { 
   return true;
  } 

to

  if(!document.getElementById("honeypot").value) { 
   return true;
  } 
  
  else if ((document.getElementsByName("company")[0].value) == 'google') {
      return true;
  }

I haven't tested it but I think it will do what you want.

[greasemonkey]

@Jack_mcs thanks so much... so this?

function IsSpammer() {
  if(!document.getElementById("honeypot").value) {   // The field is empty, submit the form.
    return true;
  } else if ((document.getElementsByName("company")[0].value) == 'google') {
      return true;
  } else {   // the field has a value it\'s a spam bot
    return false;
  } 
} 

 

[Jack_mcs]

Yes, that's correct.

[greasemonkey]

On 12/14/2018 at 9:12 PM, Jack_mcs said:

Yes, that's correct.

Can't quiet get this working Jack

Sorry to bug for any more assistence - here is the HTML for the Company Name

    <div class="form-group">
      <label for="inputCompany" class="control-label col-sm-4">Company Name</label>
      <div class="col-sm-8">
        <input type="text" name="company" id="inputCompany" placeholder="Company Name" class="form-control" /><!-- BOF Separate Pricing Per Customer: field for tax id number
		<!-- EOF Separate Pricing Per Customer: field for tax id number -->
		
      </div>
    </div>

And the IsSpammer function, I'm not sure... but it's still validating the form with or without the company name being "google". For the value I've tried both "google" and \'google\'.

function IsSpammer() {
  if(!document.getElementById("honeypot").value) {   // The field is empty, submit the form.
    return true;
  }   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;
  } else {   // the field has a value it\'s a spam bot
    return false;
  } 
} 

 

[Jack_mcs]

The return value is wrong. Change

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;

to

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return false;

 

[greasemonkey]

On 12/17/2018 at 11:36 AM, Jack_mcs said:

The return value is wrong. Change

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;

to

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return false;

 

Wow, this spammer just won't go away.... I'm not sure you can help me any more @Jack_mcs

I'm currently trying to use the pattern variable with a negative regex on the company input to validate the form - it works when I test it:

pattern="^(?!google$).*"

But he is still able to get around it - or at least able to create the account. Looking at Track Delivery in cPanel the email is still going out and being received.

[Jack_mcs]

I don't think that is a good approach to the problem. Even if you get it to work, he might decide to start using Bing as a company and that will break the script.

In the latest version of View Counter (not released), I record the persons IP when an account is created. Then if that IP is used to create another account and if the time between the two is too small, as decided by a setting, the account is denied and the IP is emailed to the shop owner in case he wants to ban that IP. I've ran across this problem many times before and, in my experience, the only thing that is consistent each time is the IP.

[greasemonkey]

@Jack_mcs thanks again Jack, this is going off topic for your support thread... Mods, please feel free to move this to its own discussion.

Yes, the bot is clearly not using a "browser" anyway to input the values so using a regex HTML5 form to validate is, as you suggest, not a good idea.

I deliver the site via Cloudflare, so I'm a little surprised they can even get to the site - almost every Proxy IP I've tried from eastern EU lands on Clouldflare's reCaptcha2 page.

SOOO, what I have succeeded in doing so far is pissing the spammer off! They've gone from creating 2-4 accounts per day to 2-4 accounts per hour.

Good news, on the create account page I use GEO targeting to enter the Country by IP - so (I think) I'm getting an accurate country for each account.

I'm now using htaccess (with Cloudflare's CF-IPCountry) to block large area's of the world like:

Quote

SetEnvIf CF-IPCountry RU BuzzOff=1
SetEnvIf CF-IPCountry TR BuzzOff=1
SetEnvIf CF-IPCountry FR BuzzOff=1
SetEnvIf CF-IPCountry KE BuzzOff=1
SetEnvIf CF-IPCountry MO BuzzOff=1
SetEnvIf CF-IPCountry NL BuzzOff=1
SetEnvIf CF-IPCountry HU BuzzOff=1
SetEnvIf CF-IPCountry MN BuzzOff=1
SetEnvIf CF-IPCountry FR BuzzOff=1
SetEnvIf CF-IPCountry ZA BuzzOff=1
Order allow,deny
Allow from all
Deny from env=BuzzOff 

So far so good.... I add a new country every time they create an account....

99.8% of our business is from Canada and USA - so no worries really..... but would like to think this is temporary.

Edited December 21, 2018 by greasemonkey

[greasemonkey]

10 minutes ago, greasemonkey said:

so (I think) I'm getting an accurate country for each account.

lol nope, just had an account created with Russian Federation as country and Ukraine as IP.

Working on installing @burt action recorder to get the correct IP...

[♥John W]

There was a thread on this in the Cpanel forums and some of the ips will blur like that but you won't likely have any that show Russia or Ukraine that are CA or US. 

Edited December 21, 2018 by John W

[osComMarket]

No honey pot need, use google.
They covered the issue.

[mcbsolutions]

Thanks for this add on Jack.  It has cut down alot on spammers and works well for me.  I would like to block any spammer using gmail.com.  Could you shed some light on how to add this in? Thank you.

[Jack_mcs]

On ‎12‎/‎24‎/‎2018 at 11:03 AM, mcbsolutions said:

any spammer using gmail.com

The following code will block any emails from gmail but if you truly mean to block "any spammer" from gmail, I don't think that is possible since spam can be a simple message saying "hello". But to block all emails from gmail, find

if (!tep_validate_email($email_address)) {

and change it to

$fail = (strpos($email_address, 'gmail') !== false ? true : false);
if ($fail || !tep_validate_email($email_address)) {

 

[Jack_mcs]

A new version has been uploaded with these changes:

• Changed the url search code to only look at the protocol and to check for named protocols.
• Changed the position of the error variable to make it global for the contact us page for pre-2.3 shops.
• Removed global option search that could fail in some cases.

The first change is an important one because Russian spammers are starting to use the tld рф. There will probably be more to follow as the use of such tld's increase. The change to the code makes it so tld's are ignored so any url should be caught now. Please report any emails that get through with url's.

[puddlec]

recently installed this, and it has block most of the URL'S coming through, the ones it did not stop just had, the domain name in.

e.g. instead of something like https://www.oscommerce.com they would just put oscommerce.com 

[Jack_mcs]

I thought I had tested that possibility but maybe not. But to be clear, the blocking of url's only occurs on the contact us page. If that is where the email was submitted, please show the actual contents of the email so I can test it here. You can change the domain name if you like.

[puddlec]

one message was in Russian (i think) with the email at the end in the same format as above
the other two had Hey Look what we possess in the service of you!, then some other text then end with the url.

I have noticed since installing this on Thursday afternoon, that the spammers have changed from having http:://ww. part in, to removing it (could just be different spammers)

only had three so far.

i sent a PM with the actual emails in them

[Jack_mcs]

Thanks for that. I tried it here and it got through as you said. I'll change the code to fix that in the next version.

[Jack_mcs]

A new version has been uploaded with these changes:

• Added option to block account creation based on thr number of accounts and/or time accounts added.                  
• Added back some of the url checking removed in the last update to catch stragglers.
• Removed the PWA code in the create account page for pre-2.3 shops since it did not apply to this addon.

This version aims to prevent the account creation of many accounts by scripts. There are two ways it does that.

First, you can set a count for how many accounts may be created. So if it is set to 2, each customer can only create 2 accounts. If your site has legitimate customers that need more accounts, then don't use this setting or set it higher.

Second, the code records the IP of the account creator as well as the time the account was created. If another create account is attempted by that IP in the time entered in the settings, the account won't be created.

Both of the above can be used together or alone.