Jump to content

John W

  • Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by John W

  1. Some editors and such can add a BOM to the begining of files, which can screw things up. There's another thread where that happened to a certificate file.
  2. John W

    Fake accounts

    Blocking by countries can make for big lists/files which can bog things down. CSF firewall and Apache both advise that it can slow things down. Plus, not always accurate.
  3. John W

    Fake accounts

    While my code snippet was blocking all the attempts, I noticed there were increasing in the amount of attempts. I started recording the ip addresses after noticing many started with 188.138. However, after blocking in my firewall, there has only been one in a few days. In checking an abused ip db, that block shows up a lot.
  4. John W

    credit card skimmers (in JS)

    I've seen some Magento sites that are set up better and not so slow, but more ofthen than not, they are slow. I try to make my site as fast as I can. I also try to make my site secure. Actually, your post got me going on running different security scans on my site and I impremented a few changes to improve security. At the same time, I spent some time scanning cajungrocer.com and they are not very good for security. Problem is I like many of the items they sell, but they have a lot of room to improve. Here's a couple of the additions I made to my .htaccess today. Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff A while back I added this Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" I also set secure cookie and some other settings.
  5. John W

    credit card skimmers (in JS)

    Hey PHil, thanks for this article! I actually shop at one of the six they say is still infected although I haven't in a while. cajungrocer.com sells as you would guess, Cajun food and ship nationwide. Actually, they had an OSC based site at first then switched to a slow ass Magento several years ago.
  6. John W

    Fake accounts

    Actually, I get his point. When I was figuring out what to use to deny these guys, I thought about the country. I only have 3 countries in my list, and the last one is Jamaica, but I very rarely sell to there. Every one of the fake accounts was using Jamaica. They put Google for company and google for tax id, so I picked the tax Id.
  7. John W

    Paypal App - Fee

    This came up in the 1980's mainly with gas stations as I remember. In the end, it was ruled they could discount cash sales, but not surcharge in any way someone using a credit card. I beleive there is a law in the US about it. Maybe the FTC did it.
  8. John W

    Fake accounts

    Out of curiosity, do they all have Google for the company name?
  9. John W

    Fake accounts

    I see Jack's point and it's one of the reasons I use the $company_tax_id, which I already had as part of SPPC addon. I haven't had any spammers use apple or At&T, but I do have legimate customers in my database using both of those. Apple as part of part of a business name and not Apple the company. However, none of them have that as their $company_tax_id, so I would feel safe using it there. I don't know if it's worth adding that field to do this, but since it already exist, I'm using it. Every spammer account that I know of is using Google for company and google for tax id.
  10. When I use the test server, I use it in live mode. It acts like the normal secure2 server, but in the sandbox. I get a confirmation email and daily report just like secure sever. Someone said they had a problem with ssl also. The secure sever is supposed be https://secure2.authorize.net/gateway/transact.dll It has a 2 after secure and there are 3 instances. A.net switched to the Akamai routing network a few years ago and the link was changed. I don't know if they will keep the old active as they bounced back and forth on that.
  11. John W

    A new danger?

    I did some googling and found the .htaccess references and found it both ways. Did some reading on this on the cpanel forums and they recommend using Mod Security to do it. I had a brain fart there for a moment because my mod_security does have rules for bad bots. Bad bots can ignore robots.txt.
  12. John W

    A new danger?

    Zahid, you have a couple lines like below where you don't have ^ before the bot name. Is this done on purpose, or accidental? RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
  13. You can go search through the A.net info, but here's a piece of their info on md5. " Note that the MD5 Hash option exists for transaction responses sent by means of the Advanced Integration Method (AIM) or the Card Present (CP) implementation methods. However, these methods use Secure Sockets Layer (SSL) to ensure that the transaction response is legitimate, and so it is not as useful for AIM or CP merchants. " That comes from this link, but you can find several on their developer site. https://support.authorize.net/s/article/What-is-the-MD5-Hash-Security-feature-and-how-does-it-work
  14. You can get the current cert at this link. https://github.com/AuthorizeNet/sdk-php/blob/master/lib/ssl/cert.pem I think all we have to do is remove the MD5 code. Aim never needed this in the first place. Of course, someone could contact A.net to verify. On my test account, I have removed the code and it works fine. I never used MD5.
  15. I think all we have to do is remove the MD5 code. Aim never needed this in the first place. Of course, someone could contact A.net to verify. On my test account, I have removed the code and it works fine. I never used MD5.
  16. John W

    Fake accounts

    If they are using Google for the company name, then you can add the code I posted early in this thread and change company_tax_id to company and it will block all of those. I get a couple a day sometimes, but they are blocked.
  17. On my test site using my AIM module on their test server/sandbox it works with all the MD5 code commented out of the aim module. I never had anything entered for it and all the md5 code was contingent on something being entered. I think the md5 code was carry over from when Harald did the SIM module, but I'm guessing. I also downloaded their SDK for the api and have played with that a little on my test site with Netbeans. Netbeans is helpful because it parses the code and can take you right to a class or method without having to hunt for it. Since they have about 500 files in this api, NB is really helpful. I used their sample code to get it to work from my test site. I think we could reuse a lot of the aim module code and convert it to use the api.
  18. People might want to read this post below on the a.net support forum. From what i remembed the md5 is only needed for SIm. I've been searching through all the developer info and working on the forums. It's been a long time since I poked around here. Check this link https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how
  19. Hey Peter, CIM is listed as End of Life on the upgrade guide. https://developer.authorize.net/api/upgrade_guide/
  20. I won't be able to deep dive into this right now, but the AIM method is now deprecated. There's an upgrade guide. https://developer.authorize.net/api/upgrade_guide/
  21. I didn't receive anything from A.net on this. A quick read on those links talks about it for SIM and DPm. I've always left the md5 blank but I noticed it does get a return in the debug emails. I've thought in the past that the md5 was for SIM and DPM. We'll have to look into this more.
  22. John W

    New UPS XML Shipping Module available

    Hey Pete, I don't have the answer for this module, but look into using Google's Address Autocomplete. Burt was working on module for this and It he has it available. It solves 99% of the address problems.
  23. I don't know if anyone will have interest in this, so I won't spend a lot of time on this unless it gains traction. Anyway, I use batch print from over a decade ago and didn't realize until yesterday that the pdf class was still being maintained. Since I only sell in the US, I haven't run into many character encoding problems, but I imagine some of you do. So, the new version of Cezpdf seems to work with all the characters. It's also php 7.2 compliant. Even better, I was able to replace my old Cezpdf and Cpdf class files and associated files. With very little changes, it prints my invoice. The pdf manual seems pretty useful, but I haven't gone very far into it yet. The main snag I hit was using "addTextWrap", which requires a different order than before. But, it has more functionality, so I can right justify for totals, which I couldn't do before. addText also has changed. I only have a few hours into it, but check the manual out. So, I said wouldn't ramble too much. If anyone is intersted you can find it at https://github.com/rospdf/pdf-php
  24. John W

    HoneyPot Captcha

    There was a thread on this in the Cpanel forums and some of the ips will blur like that but you won't likely have any that show Russia or Ukraine that are CA or US.
  25. John W

    AJAX Attribute Manager support

    @raiwa Seems to work with 2.9.5 with a quick test. I'll let you know if I find anything else. Thanks for all your work on this.