Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HoneyPot Captcha


Jack_mcs

Recommended Posts

43 minutes ago, Jack_mcs said:

Please give it a try and let me know if it doesn't work.

It seems to have worked BUT I didn't try any hacker things except for http://www.google.com as the email on the page where it asks for the email address.

The code sent a password reset email - and I was able to reset the password.

Thanks.  I just din't know IF it was necessary to do anything besides adding the include(s).  It looked like it may be necessary.

Thanks again.

BJ

Link to comment
Share on other sites

1 hour ago, tonymazz said:

In reviewing this I noticed a define missing in the languages

define('FORM_REQUIRED_INPUT', 'Enter Total Here');

That definition was added in the Frozen version. If you are using an older version of oscommerce, it probably should be removed from the honeypot code. In the display module, find this

	  tep_draw_input_field("security_check", NULL, "required aria-required=\"true\" id=\"captchaAnswer\"") .
	  FORM_REQUIRED_INPUT . '

and change to

	  tep_draw_input_field("security_check", NULL, "required aria-required=\"true\" id=\"captchaAnswer\"") . '

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

1 hour ago, puggybelle said:

Where is MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_SECURITY_FAILURE defined?  I can't find it.

It isn't defined. I will fix it in the next version. For now, just replace

MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_SECURITY_FAILURE

with

'some text here'

Be sure to use the apostrophes as shown.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

1 hour ago, Chadduck said:

Thanks.  I just din't know IF it was necessary to do anything besides adding the include(s).  It looked like it may be necessary.

I'll rewrite the code in the next version. For now, if it causes problems then don't use it for that page.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

16 minutes ago, Jack_mcs said:

If you are using an older version of oscommerce, it probably should be removed from the honeypot code.

Thank you.

I am having an issue with my tests, allowing incorrect math sum to still create accounts. When the field is left empty, one cannot continue however any answer will allow the account creation. Any idea what I may be missing? Thanks again...

Tony Mazz

Link to comment
Share on other sites

I am using the latest Honey pot on Frozen. I am now getting many fake accounts purportedly from Afghanistan which are following a set pattern of operations.

  1. The account is created by populating every field in create account with a string of random letters and presumably their email address.

  2. They log off and then go through the password reset procedure.

  3. They then use the contact us page to send another random string of letters.

  4. Often, but not always I then get a Mail delivery failed message from my host which is the password reset email bouncing back. The action recorder shows two entries for the reset, one with a tick and one with a cross just 1 second apart, then the contact us, which is either from the account just created or 0 in the brackets if the email bounced.

image.png.e8f9421c4b25fe1e21f72b4d2b8f0c8b.png

 

Just a suggestion. Would it be possible use this behaviour to get Honeypot to look for this password resetting immediately after account creation and either blocking the IP or alerting the store owner?

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

@mhsuffolk I'm seeing the same here on my shop.  They must be switching off java in the browser, and selecting the first country in the list.  My site should only accept UK postcodes, but with Java off they can enter any character string.  I just block their IP.  They are usually from a bad IP source! check on projecthoneypot.org.

I don't use Honeypot Captcha, but have been considering it, and if your suggestion can be incorporated that would be good.

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

2 hours ago, mhsuffolk said:

The account is created by populating every field in create account with a string of random letters and presumably their email address.

They should never get past this point, assuming you have the telephone and/or fax fields showing. The Honey Pot code checks for letters in those fields and will stop the creation if found. Also, be sure you have the option to create account check option enable or all other account checks will be ignored.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@Jack_mcs@mhsuffolk & @MikepoWe are getting about 15 to 20 of these 'create account' per day. Assorted letters in both upper and lower case with random lengths. The email addresses are 98% legit, so that means that our system is sending Welcome Spam, nice.

The phone number field is a string of numbers and appear to be legit looking. I have the fax field disabled.

I have been watching these sign-ups for a common thread that could be used to block registration. They are picking the first country listed. Maybe that country could be a country that you dont ship to and then block that registration. 

I also noticed that the Post Code is always a string of random letters (upper and lower case), but no numbers. This could definitely be a source for blocking since I am unaware of any countries we ship to that are all letters.

The ip's switch so blocking the IP is an exercise in futility. I have seen a different country for each sign-up. 

 

Tony Mazz

Link to comment
Share on other sites

11 minutes ago, tonymazz said:

The phone number field is a string of numbers and appear to be legit looking. I have the fax field disabled.

As mentioned in the instructions, please post the details of an account that was created along with your HP settings. Otherwise, I am just blindly guessing.

 

12 minutes ago, tonymazz said:

The ip's switch so blocking the IP is an exercise in futility. I have seen a different country for each sign-up. 

I don't understand what you mean by this since the release version of HP doesn't have an option to block IP's. You have to do that manually.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Few more points:

  1. We have honeypot installed (Math Captcha = False) and create account is still happening.
  2. I am not seeing the Password Reset events as @mhsuffolk has outlined. Not yet, anyway.
  3. They are spending about 90 seconds on average with 4 clicks, last one resulting in create_account.
  4. I created a new create _account.php and renamed it site wide including in filenames.php; within the hour the bot or ? figured out the new page, which confirms it is not coming right in to the create_account.php page. It seems to come in on a product page and then go to 'create account' without adding anything to the cart

Tony Mazz

Link to comment
Share on other sites

3 minutes ago, Jack_mcs said:

I don't understand what you mean by this since the release version of HP doesn't have an option to block IP's. You have to do that manually.

Nothing to do with HP, i see the IP's in my whosOnline. I started blocking those offenders in htaccess but quickly discovered that they changed with each visit to the site.

Tony Mazz

Link to comment
Share on other sites

one question to the dev's and users.

Does google's reCaptchaV2 or even reCaptchaV3 not prevent current registration issue's, or contact_us?
Use it, does not prevent you from storing milancious [ sorry for not phrase the word correctly] users/ip's.
Honeypot concepts are outdated and widely covered in reCaptcha.
What is the extra?

I just wonder.

Edited by cables24h
Link to comment
Share on other sites

5 minutes ago, cables24h said:

Does google's reCaptchaV2 or even reCaptchaV3 not prevent current registration issue's, or contact_us?

I have tried reCaptcha and have had many real customers complain about it. With my own reCaptcha experiences, I must admit it is difficult to determine a storefront or traffic sign etc. It can be a real 'turn off' when registering at a site to make a purchase. I prefer to make our signup experience as hurdle and trouble free as possible.

ReCaptcha2 did not prevent these signups, btw. 

Tony Mazz

Link to comment
Share on other sites

12 minutes ago, tonymazz said:

Nothing to do with HP, i see the IP's in my whosOnline. I started blocking those offenders in htaccess but quickly discovered that they changed with each visit to the site.

OK. When you have the details I mentioned please post them here and I will take a look.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

10 minutes ago, cables24h said:

Honeypot concepts are outdated and widely covered in reCaptcha.

You are confusing Honeypot concepts with this addon. They are very different.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

17 hours ago, tonymazz said:

I have tried reCaptcha and have had many real customers complain about it

Put a list what they complain about.
I am curious.

 

17 hours ago, Jack_mcs said:

You are confusing Honeypot concepts with this addon. They are very different.

No i not.
You just register who logs.
It is a stupid concept.
It is already proven they go around of it.
They detect it.

 

Why not join blacklist program with this honeypot?
For me it is a crap......... sorry.
I respect the effort.

 

But you see hackers/script kiddy's still able to go around of it.
That is why i say......... it not work.
It is not that you are under attack, but when.

 

I yield here................ i might someday come up with something.
But for now.............. better ask why someone choose your website to "spam".
I think there it starts and where it should end.
The aswer is simple...........
The option is given.

 

How a bot going to know:
https://somesite.com/pageid=rtuui9eutuie987598759500w3409q208i3oeuwjudjfiuieufuiijufijrij4f
That is to register?
Never going to happen.
Your page for google not care.
To them you can give the correct url (SEF) and it will be listed as it.

The bot KNOW where to look for.
- register(.php,NET)
- login(.php.NET, *whatever extension)

 

It is all blablabla............. it is just a script what looks for stuff.
Common................. do i really need to explain all this?

If 3 times crawled a website on server side and NOT know what BOT it is.................. it should already be blacklisted.
HECK........... first time should be enough.
I rest my case here.

 

I might go for a GUARDIAN
First i block country i never would sell to anyway.
Then i check a blacklist of ip's what is shared worldwide.
And then i might go protect my forms.

Link to comment
Share on other sites

In my experience, Blacklisting is not the complete answer either. I forgot to mention that some of the IPs used are being spoofed as Bing, Google, PayPal etc. You really do not want the bot to automatically get important IPs blocked out. One time we even had our own server's IP blocked. I since whitelisted those IPs in CSF, however that gives the spoofers a wide open ticket when they use a whitelisted IP.

I did do one thing that helped a good bit. In CSF I blocked CC's. In our case we blocked RU, CN, Ukraine. Again this will not help block them if they are spoofing. And this puts a lot of stress on many servers. The list of CIDR's is quite lengthy. I run dedicated servers so the overhead is not as noticeable as it could be on a shared, cloud or other.

cables24h, you may want to look at the bad_behavior add-on which automatically blocks IPs via htaccess. It works well, but again if they spoof an important IP for your store, it can be detrimental. I use it, although modded for our needs to prevent certain header requests, user agents and to help block the IPs that are initiating script injections.

 'better ask why someone choose your website to "spam"'. - If you are lucky enough to have a successful site, with high ranking, you will eventually get sniffed out by the spambots and scriptkitties. They will find you; especially when you advertise on FB, Google and Bing which brings even more notice to our sites. Another reason: Competitors or BlackHat will sometimes do things like this to cause havoc. These signups create spam to a legit email address. Enough spam reports will get you on the RBL; once there, it takes a lot of effort and time to get removed. Until then an ISP like AOL will block your domain from sending anyone with an aol account any emails.

So, Unintended consequences is a real concern for us: if you make it too tight you will either block or alienate your legitimate clients. I try hard to prevent this. 

I post his info in an effort to corroborate, not insult. I believe there needs to be many approaches to this issue and there is always going to be a workaround by the other side. A constantly evolving problem.

@Jack_mcsI will post the details of the next signup. I delete them on the fly so I do not have one at the moment. Any hour though, unfortunately. Thanks again for your work on this project. And all of the others too!

 

Tony Mazz

Link to comment
Share on other sites

1 hour ago, cables24h said:

No i not.
You just register who logs.
It is a stupid concept.
It is already proven they go around of it.
They detect it.

Based on this, it is obvious you haven't looked at the code. But giving you the benefit of the doubt, please post how someone can override php code. If they are able to do that, then much of the Internet is broken.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

15 hours ago, Jack_mcs said:

Based on this, it is obvious you haven't looked at the code. But giving you the benefit of the doubt, please post how someone can override php code. If they are able to do that, then much of the Internet is broken.

Why people who using the code, post it is override?
How is that happen?
The technique is known by the bots.
So are the pages where they fire on.

There is the real prob, it is an invitation.

Keep in mind..........
i RESPECT the effort.
But when a company like google that have millions to spend.............
Let it go in your mind.
I not say ,one cannot be unique.

 

Let i go be honest, i spend years with these kind of user cases.
At the end it is how wide you want to open your website.

If a shop/website focus purely on registration, it is the only page to focus on.
 

If a shop "open" a page like "contact_us.php" or "tell_a_friend.php" , or any form that open doors for spam, it should be taken in considiration a potential security risk.

It is MUCH MUCH easier to GRANT access to these type of forms when the user is actually is registered.
Like i say.......... it is an open invitation.

 

16 hours ago, tonymazz said:

You really do not want the bot to automatically get important IPs blocked out.

Do they register?
Do they use the contact forms?
"Bing", "Google". "etc"..........
Seriously?
Your own server????????????
You kidding me?

 

The WHOLE thing here is about WHO you ALLOW to POST.
That's it, nothing more, nothing less.
Whatever security you put.
If the one is not listed, he's able to post.
If you mark them, their changes for a second time is reduced.

That's the whole concept.

 

Still i not got answer:
 

17 hours ago, tonymazz said:

I have tried reCaptcha and have had many real customers complain about it.

What is the complain?
Do they complain about your security measures?

So............ you want to secure.
If you secure ( for them and you), you get complaining.

You could say to them it is for both interests.........no?
The whole world already figure that "the Internet" is not a save Haven.

What kind of conservative minds still believe that?
Naive.

Not for a reason the "BIG" guys use 2 or even 3- way authentication systems.
- first IP
- second DEVICE, bound in some cases
- 3th , fingerprint, facial recognition.

These are the ultimate security measures, and wow.................. now there's a HoneyPot ( this is old age security, it just not going to work).
Again............. i RESPECT the effort.
Just let it go.

But i like the trust worthy peep.
Even the ones who code for these.
 

But at the end it is all BS.
Sorry to be that harsh.

 

99% of oscommerce "FAKE" user registrations can be eliminated just by a simple "account registration confirmation email".

osCommerce currently INSTANT activates your account , once register..

Could that not solve many of the problems?

Just thinking ..............
Let me know!

Edited by cables24h
Link to comment
Share on other sites

3 minutes ago, cables24h said:

Could that not solve many of the problems?

No, it makes it worse.  Because then they sign up for the account just to get the

Quote

in the confirmation email.  And it makes it harder for people to actually buy. 

You know how Amazon.com confirms a shipping address?  They ask you to enter your credit card number.  Once you've entered it, you can simply reuse it for the same shipping address.  Similarly, osCommerce authenticates via purchases.  If you put in valid payment information, then clearly your account is valid. 

Social networks have to use confirmation emails because they don't take payment.  But it's clearly an inferior method to checking payment information.  There's lots of work on fraud in payments. 

Always back up before making changes.

Link to comment
Share on other sites

So much lost souls (here).
Completely out of reality.
I wait for the first person saying using the internet affect global warming.
It might not be said here............. i not doubt it is mentioned somewhere else.

It might just go take some ............. 
To who i talking?
The mixture of just some peep who own a shop.......... a mixture of someone who is just likes coding? ( for sure talented in some way)

But their is a real lack of thinking going on here............
Their are billion worth company's DOING what is been discussed here.
I think should now your position in it.

my 5cents for today.

( hey........... i do not have to bring good news)
 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...