Jump to content

tonymazz

Members
  • Content count

    79
  • Joined

  • Last visited

1 Follower

Profile Information

Recent Profile Visitors

7,184 profile views
  1. tonymazz

    HoneyPot Captcha

    @Jack_mcs & @ecartz Sorry, I mistyped. i made no core changes.
  2. tonymazz

    HoneyPot Captcha

    I found this snippet: https://gist.github.com/digvijay1985/b8015b58000acb27d663 for post code formats <?php $country_code="US"; $zip_postal="11111"; $ZIPREG=array( "US"=>"^\d{5}([\-]?\d{4})?$", "UK"=>"^(GIR|[A-Z]\d[A-Z\d]??|[A-Z]{2}\d[A-Z\d]??)[ ]??(\d[A-Z]{2})$", "DE"=>"\b((?:0[1-46-9]\d{3})|(?:[1-357-9]\d{4})|(?:[4][0-24-9]\d{3})|(?:[6][013-9]\d{3}))\b", "CA"=>"^([ABCEGHJKLMNPRSTVXY]\d[ABCEGHJKLMNPRSTVWXYZ])\ {0,1}(\d[ABCEGHJKLMNPRSTVWXYZ]\d)$", "FR"=>"^(F-)?((2[A|B])|[0-9]{2})[0-9]{3}$", "IT"=>"^(V-|I-)?[0-9]{5}$", "AU"=>"^(0[289][0-9]{2})|([1345689][0-9]{3})|(2[0-8][0-9]{2})|(290[0-9])|(291[0-4])|(7[0-4][0-9]{2})|(7[8-9][0-9]{2})$", "NL"=>"^[1-9][0-9]{3}\s?([a-zA-Z]{2})?$", "ES"=>"^([1-9]{2}|[0-9][1-9]|[1-9][0-9])[0-9]{3}$", "DK"=>"^([D-d][K-k])?( |-)?[1-9]{1}[0-9]{3}$", "SE"=>"^(s-|S-){0,1}[0-9]{3}\s?[0-9]{2}$", "BE"=>"^[1-9]{1}[0-9]{3}$" ); if ($ZIPREG[$country_code]) { if (!preg_match("/".$ZIPREG[$country_code]."/i",$zip_postal)){ //Validation failed, provided zip/postal code is not valid. } else { //Validation passed, provided zip/postal code is valid. } } else { //Validation not available } ?>
  3. tonymazz

    HoneyPot Captcha

    I appreciate all of the input and no, I have not tried recaptha 3 yet. I will give that a try on one of our sites. As to the clients complaints, I do not get it either. Although there have been times that I have become frustrated with ReCaptch when I have to pick 3 images that match a topic like traffic lights, storefronts etc. The end result is that I realize it is for security and get on with it. It seems people are spoiled with instant purchases (ie PayPal, Amazon, eBay etc). I even have had a lot of clients complain about making up a password and then retyping it in, which is why we now send them a random password in the Welcome email. And yes, I do think some logic on Post Code format, as well as country/state mismatch, is a good idea for many reasons. I found these postal code patterns in HTML5 -- http://html5pattern.com/Postal_Codes to offer some initial guidance. I did mitigate this issue (for now) after the dialogue yesterday gave me an idea. Since we really do not want or need signups until a purchase or quotation is made, I removed "create_account" from all of the pages as well as the login page. Renamed the "create_account" (changed it in filenames) and now it is only offered once something is in the cart and they hit "Checkout". Perhaps this should be an option for future versions, to deploy without core code changes? A hook that would show create account (and on which pages) or not. Thanks again all!
  4. tonymazz

    HoneyPot Captcha

    My screenshot was from the admin side. We automatically send random generated passwords to the client via welcome email and try to collect minimal info at the time of checkout. I thought about the email confirmation email, however over 75% of our clients want to just check out. Any delay in the checkout process can result in a lost sale. So that would not work. I agree with you on this. Should any visitor even be creating an account without an actual purchase to start with? An option in admin could toggle that as an option for those that would. In our case we are not interested in people signing up for a subscription or discounts as some commerce sites do. Perhaps, on the confirmation page the client is offered the opportunity to create an account at the end of the checkout confirmation (admin can set default). So, create_account would not be offered as a standalone, automatic account creation would only occur after a bonafide purchase. And of course the admin would need to be able to create an account from admin side. I will noodle this more.
  5. tonymazz

    HoneyPot Captcha

    In my experience, Blacklisting is not the complete answer either. I forgot to mention that some of the IPs used are being spoofed as Bing, Google, PayPal etc. You really do not want the bot to automatically get important IPs blocked out. One time we even had our own server's IP blocked. I since whitelisted those IPs in CSF, however that gives the spoofers a wide open ticket when they use a whitelisted IP. I did do one thing that helped a good bit. In CSF I blocked CC's. In our case we blocked RU, CN, Ukraine. Again this will not help block them if they are spoofing. And this puts a lot of stress on many servers. The list of CIDR's is quite lengthy. I run dedicated servers so the overhead is not as noticeable as it could be on a shared, cloud or other. cables24h, you may want to look at the bad_behavior add-on which automatically blocks IPs via htaccess. It works well, but again if they spoof an important IP for your store, it can be detrimental. I use it, although modded for our needs to prevent certain header requests, user agents and to help block the IPs that are initiating script injections. 'better ask why someone choose your website to "spam"'. - If you are lucky enough to have a successful site, with high ranking, you will eventually get sniffed out by the spambots and scriptkitties. They will find you; especially when you advertise on FB, Google and Bing which brings even more notice to our sites. Another reason: Competitors or BlackHat will sometimes do things like this to cause havoc. These signups create spam to a legit email address. Enough spam reports will get you on the RBL; once there, it takes a lot of effort and time to get removed. Until then an ISP like AOL will block your domain from sending anyone with an aol account any emails. So, Unintended consequences is a real concern for us: if you make it too tight you will either block or alienate your legitimate clients. I try hard to prevent this. I post his info in an effort to corroborate, not insult. I believe there needs to be many approaches to this issue and there is always going to be a workaround by the other side. A constantly evolving problem. @Jack_mcsI will post the details of the next signup. I delete them on the fly so I do not have one at the moment. Any hour though, unfortunately. Thanks again for your work on this project. And all of the others too!
  6. tonymazz

    HoneyPot Captcha

    I have tried reCaptcha and have had many real customers complain about it. With my own reCaptcha experiences, I must admit it is difficult to determine a storefront or traffic sign etc. It can be a real 'turn off' when registering at a site to make a purchase. I prefer to make our signup experience as hurdle and trouble free as possible. ReCaptcha2 did not prevent these signups, btw.
  7. tonymazz

    HoneyPot Captcha

    Nothing to do with HP, i see the IP's in my whosOnline. I started blocking those offenders in htaccess but quickly discovered that they changed with each visit to the site.
  8. tonymazz

    HoneyPot Captcha

    Few more points: We have honeypot installed (Math Captcha = False) and create account is still happening. I am not seeing the Password Reset events as @mhsuffolk has outlined. Not yet, anyway. They are spending about 90 seconds on average with 4 clicks, last one resulting in create_account. I created a new create _account.php and renamed it site wide including in filenames.php; within the hour the bot or ? figured out the new page, which confirms it is not coming right in to the create_account.php page. It seems to come in on a product page and then go to 'create account' without adding anything to the cart
  9. tonymazz

    HoneyPot Captcha

    @Jack_mcs, @mhsuffolk & @MikepoWe are getting about 15 to 20 of these 'create account' per day. Assorted letters in both upper and lower case with random lengths. The email addresses are 98% legit, so that means that our system is sending Welcome Spam, nice. The phone number field is a string of numbers and appear to be legit looking. I have the fax field disabled. I have been watching these sign-ups for a common thread that could be used to block registration. They are picking the first country listed. Maybe that country could be a country that you dont ship to and then block that registration. I also noticed that the Post Code is always a string of random letters (upper and lower case), but no numbers. This could definitely be a source for blocking since I am unaware of any countries we ship to that are all letters. The ip's switch so blocking the IP is an exercise in futility. I have seen a different country for each sign-up.
  10. tonymazz

    HoneyPot Captcha

    Thank you. I am having an issue with my tests, allowing incorrect math sum to still create accounts. When the field is left empty, one cannot continue however any answer will allow the account creation. Any idea what I may be missing? Thanks again...
  11. tonymazz

    HoneyPot Captcha

    Hi Jack. Thank you for all of the many hours you put in to these addons!! In reviewing this I noticed a define missing in the languages define('FORM_REQUIRED_INPUT', 'Enter Total Here');
  12. If you want it to show in subcategories, either specify the cat id or use enter ALL. When adding or updating extra fields, put the desired categories id in the Category field, followed by a COMMA. The trailing COMMA is important, you need to add it after each category id even if you only write one category! If you want to have a field that will be used for all products, write "all" and nothing else. If you have subcate- gories, you can also put parent categories id here, the field will show up in all subcategories as well.
  13. tonymazz

    The Feedmachine Solution

    On your first issue, try this, 'price' => array('output' => 'FINAL_PRICE_WITHOUT_TAX', 'type' => 'KEYWORD' I did and I now get the exact price including special if applicable.
  14. tonymazz

    The Feedmachine Solution

    Hi! I too need assistance with Shopzilla's field limits. Your efforts are appreciated.
×