Jump to content
Latest News: (loading..)

Recommended Posts

Posted (edited)

This addon prevents multiple emails from being sent through the forms on the site by adding a hidden challenge. Sending
emails through the forms is a favorite thing to do by spammers.

This has traditionally been handled by Googles Recaptcha code but that causes too much of a challenge in many cases and can
easily frustrate your customers. This code doesn't present a challenge for the customer at all. The checking is done without
the customer even knowing it.
 
The code will work in any version of oscommerce but the instructions are just for the Community Edition and just for the
contact us page (due to time constraints).

Edited by Jack_mcs
Remove extra link

Share this post


Link to post
Share on other sites
Posted (edited)

@Jack_mcs

Does this add-on require View Counter?

Malcolm

 

 

Wow, this is my 1000th post :biggrin:

Edited by ArtcoInc

If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release here

Share this post


Link to post
Share on other sites

@ArtcoInc

And what an important 1000 post it was. :biggrin:

I would have expected something like "HURRAY! Post #1000!"


When you ask for help/support:

  • Always state your osCommerce version
  • If possible, list up installed add-ons
  • 3rd party templates are not supported in the forum

Latest osC: osCommerce CE (Community Edition aka. v2.3.4.1 Frozen)

 

Share this post


Link to post
Share on other sites
3 hours ago, ArtcoInc said:

@Jack_mcs

Does this add-on require View Counter?

No, it doesn't. I must have clicked on something I shouldn't have when creating this thread. I have removed the mention of View Counter now. I apologize for the confusion

Share this post


Link to post
Share on other sites

This is pretty interesting idea Jack....good thinking.   In installing it, I also noticed that the action recorder is implemented on the contact us page....that must also slow the bots down a lot.  

Dan

Share this post


Link to post
Share on other sites

Thanks, but it isn't my code. The Honeypot code has been around for years. The action Recorder helps as does the code in email validate function (for newer versions of oscommerce) that limits how many email addresses can be entered at one time. I would have thought the latter was enough to stop spammers but it doesn't.  

Share this post


Link to post
Share on other sites
8 hours ago, Jack_mcs said:

I would have thought the latter was enough to stop spammers but it doesn't.  

I was thinking the same thing but your module makes it easy to take things a step further.   Thanks for taking the time to both develop and contribute it to the community. :thumbsup:

Dan

 

Share this post


Link to post
Share on other sites

A new version has been uploaded with these changes:

  • Added a tell-a-friend file to the changed files.
  • Changed the module code to use a different function for the create account page. 

If you don't use this addon on either of those pages there's no reason to update. But if you don't and you enable it for the create account page, that page won't validate correctly.

Share this post


Link to post
Share on other sites

I am running v2.3.2 and added the changes to the contact_us page and it does not seem to reject the form if the honeypot is not empty.

If I view source I do have the onsubmit="return validateMyForm();"

and

  <div style="display:none;">
  <label>Keep this field blank</label>
  <input type="text" name="honeypot" value="die bots" id="honeypot" />
  </div>

(before buttonSet)

What could I be missing?

I am not getting any errors from apache

Tom


Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites

You have to include the validateMyForm code. For newer 2.3.4 and Responsive versions of oscommerce that is done by installing the included module. For all others you have to manually add the code.

Share this post


Link to post
Share on other sites

A new version has been uploaded. Since any spam email I have ever seen contained an email address and/or a url, I added options to check for those on the contact us page and to reject the submission if found. It seems unlikely that a legitimate visitor would have those in their emails but there are options to control them if you don't want to use them.

Share this post


Link to post
Share on other sites

I wonder if changing the honeypot input to something email2 or something would encourage spammers to fill it in

<input type="text" name="email2" id="honeypot" />

or

<input type="text" name="email2" id="altemail" />

tom


Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites

The Honeypot input box should not be visible on the page. If it is, then there is a mistake in your installation. The whole idea with the code is that legitimate people can't fill in that box but spammers use scripts that automatically fill in all boxes so they are stopped.

Share this post


Link to post
Share on other sites

Well, if you think about it from the automated spammer point of view...

They don't LOOK at the page, the BOT can READ the HTML see excepts below

<script type="text/javascript">
  function validateMyForm() {
    // The field is empty, submit the form.
    if(!document.getElementById("honeypot").value) {
    return true;
  }
  // the field has a value it's a spam bot
  else {
    return false;
  }
}
</script>


</div>
<div style="display:none;">
<label>Keep this field blank</label>
<input type="text" name="honeypot" id="honeypot" />
</div>

 


Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites

I don't understand your point nor why you would want to encourage spammers to fill it in but you're free to change it as you see fit.

Share this post


Link to post
Share on other sites
12 minutes ago, Jack_mcs said:

I don't understand your point nor why you would want to encourage spammers to fill it in but you're free to change it as you see fit.

I'm sure Tom will clarify but I think his point is that smarter bots, or perhaps AI bots, might be programmed to recognize traps like that, where the names were so obvious, and might skip the input.  An interesting point and one that might become obvious over time ie. you'll know about it.

Dan

Share this post


Link to post
Share on other sites

Oh Yes I think we WANT to encourage them to fill it in, so we know the 'client' was not using a web browser.

But if we think of AI, the very directive that tells the browser not to display the input may tell the bot also to leave it blank.

You have to think like a Bot and look at what the bot sees! Your HTML code

It might be interesting to see how many requests it blocks.

Tom


Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites

OK, I understand your point now. I don't think the scripts would do that but it is certainly possible. It is probably worth changing the code just to eliminate that possibility. But if it's going to be done, the javascript should probably be moved to a separate file and loaded in so it doesn't display in the source.

Share this post


Link to post
Share on other sites

I upgraded to the latest version with the email and url blocks, but when I try manually if works correctly, but I am getting spam with urls in it...

tom


Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites

The code only checks for urls with http or https. If those aren't included the email will get by. I may change that in a future release but it involves more than the javascript check I used. If that isn't the problem, try submitting the form yourself with a copy of the url that is getting through to see if you can duplicate the problem. If you can, please send me what fails so I can see what the problem is.

Share this post


Link to post
Share on other sites
Posted (edited)
Считается, что повышенный уровень глюкозы в крови является главной причиной развития диабета 2-го типа. Однако немецкие ученые доказали: резистентность клеток к инсулину может быть вызвана увеличением концентрации в крови метилглиоксаля (MG) - метаболита глюкозы. Подробнее читайте на сайте _a href=http://dom-lady.ru_dom-lady.ru_/a_

But if I enter that text the form is blocked.

I am starting to think that the javascript is not being executed on the server side 

If the code is assuming it will run on the client side, then it is no wonder the checks are not performed on some spammers

Maybe we should just move the checks to PHP code on the form submit action, that could NEVER fail!

Edited by w2vy

Thomas A. Moulton, W2VY

osCommerce core developer

Support the developers!

http://www.oscommerce.com/about/team

Share this post


Link to post
Share on other sites
Posted (edited)

Are you able to create an account? The create an account has the javascript in it too but it also has the original javascript in it. So if javascript is failing on your site, that would fail too. Blocking via the php code would probably be better but that would require further code changes and not be what this addon was intended for.

If you updated to the latest version and are using the Responsive version of the addon, you needed to uninstall the module first, replace the files and install again. If you didn't do that, the javascript may not function correctly.

Edited by Jack_mcs

Share this post


Link to post
Share on other sites

I've been thinking about this and testing some things out...

This code worked best for my needs (which were; stop spammers, use as little code as possible)

<input type="text" name="inputHP" pattern="[0]{0}" aria-describedby="atHP" hidden>
<span id="atHP" hidden>This is a Test for weeding out Spammers.  You must leave this input box totally blank.</span>

What have I missed by just using that code ?

Note that I did hardcode it, if I was to spend time on it, it'd be a Hook most likely.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

I haven't tested it but that looks like a good idea. But a second hook would be needed to add the code to check for emails and url's, if those options were wanted. That is more in-line with not changing the core code and is probably a better solution for the community edition. Actually, it might be a good addition to the stock shop. A generalized package that would protect any form in the shop by just calling a hook with the forms name, or something like that.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×