Jump to content
Latest News: (loading..)

Recommended Posts

9 hours ago, Jack_mcs said:

I haven't tested it but that looks like a good idea. But a second hook would be needed to add the code to check for emails and url's, if those options were wanted. That is more in-line with not changing the core code and is probably a better solution for the community edition. Actually, it might be a good addition to the stock shop. A generalized package that would protect any form in the shop by just calling a hook with the forms name, or something like that.

I thought a bit more on it...I'm not sure how these spammers actually work (in osc)...

In (eg) wordpress I know there is a whole industry that targets drive by spamming, using software. 
Unfortunately, for a period of time over a decade ago I was a part of a similar industry :(

In other, less popular, software (eg osc) I've always assumed that someone gets paid a dollar a
day to sit there all day finding form and filling them out and submitting.  

Do we think that software is being used to target (eg) the contact_us form in osc, or do we think its software?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites
4 hours ago, burt said:

Do we think that software is being used to target (eg) the contact_us form in osc

@burt Gary I'm not certain how this is done, or if it is always done the same way, but based on the many posts I see on here and the occasional attack I've seen, I think that bots are often used to abuse these forms.  I was hit twice recently via one of our out of stock add-ons and given how quickly the emails were generated it had to be accomplished using software.  

In response I added Jacks honeypot contribution and noted in the process that the action recorder could help with this too.  If you limit how frequently the form can be used ie once every 15 minutes or once an hour or whatever that should certainly help.  If someone is legitimately using the contract us form they are not likely going to submit it more then once.   That would certainly slow the bots down if they could only send one message an hour.  A human would soon tire of that too.  :laugh:

Dan     

Edited by Dan Cole
fixed spelling of form vs forum

Share this post


Link to post
Share on other sites

I don't know for sure how spamming works but I think it is probably a mixture of what you mentioned. There are some that spam to advertise and some to just cause damage and probably other reasons for others.

Based on what I've seen, as a host, most times the spammers are using scripts. In older tep_mail functions, it was possible to send hundreds of emails at a time by entering them in the to field, like to: me@aol.com, you@yahoo.com, etc. But somewhere in 2.3.4, I think, a check was added to only allow one email in that field so that stopped some of them. In fact, I don't see this happening much anymore in newer versions of oscommerce.

But spammers still send via those forms. I've seen some take the time to create an account in forms where that is required, like in writing a testimonial. In those cases, the spammer can post on the site and place a link to some site, probably full of virus code. One client had me change the code for that addon so that if someone tries to post a message containing a url, the IP is blocked. I thought about adding that to this addon, and may still.

I think given the way spamming is rampant nowadays, having built-in code to protect again should be a basic part of all ecommerce shops.

Share this post


Link to post
Share on other sites
3 hours ago, burt said:

Do we think that software is being used to target (eg) the contact_us form in osc, or do we think its software?

This should of course read;

Do we think that software is being used to target (eg) the contact_us form in osc, or do we think its a human?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

After seeing this thread I decided to do some searching through my Apache access logs for my domain.  I rarely used to get any spam through contact us but this year it's increasing.  In searching through March, I found it's coming from a handful of Russian ip ranges and I definitely think it's a spambot and not human.  The reason is the timing it goes throug the site is 3-6 seconds.  Interesting to me is that one of the ip's came through a product link each time.  Some ip's tried to do a aql injectiion through the search function too.  I found the same ip address posting from different names and different messages over the month also.  Here are the mail ip ranges I've blocked today.

46.161.9.0/24 #Russian spambots blocked 3-24-18
90.188.236.0/22 #Russian spambots blocked 3-24-18
90.188.240.0/20 #Russian spambots blocked 3-24-18
109.184.128.0/17 #Russian spambots blocked 3-24-18
128.68.0.0/15  #Russian spambots blocked 3-24-18


I'm not really a dog.

Share this post


Link to post
Share on other sites

Q1. Do Bots see hidden inputs?
Q2. What would be filled out in this box by a Bot?
Q3. How does the Bot then submit the form?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest current code (community-supported responsive 2.3.4.1BS Edge) here

 

Share this post


Link to post
Share on other sites

It did show as Firefox on my apache logs, but a couple were old versions like 32.  From what I understand, they can forge that though.  The speed seemed fast for humans, but not impossible.  I run Mod Security, so I always figured that kept a lot of the junk out.  I hardly ever used to get junk through contact us. 


I'm not really a dog.

Share this post


Link to post
Share on other sites
18 hours ago, burt said:

Q1. Do Bots see hidden inputs?
Q2. What would be filled out in this box by a Bot?
Q3. How does the Bot then submit the form?

I'm nowhere near an expert on this subject but here are my guesses:

1 - They can if they are programed to view the source.

2 - I don't think there is a set thing they might enter. From what I understand, the scripts use a brute force approach. They try some number of combinations and if it doesn't work, they try another.

3 - Here's an interesting thread on the subject.

See this about a popular spammer script. I think the best approach to stop spam is to check what is being sent. I can't imagine why a spammer would send even a single email if it didn't contain some email address or url. At least for the contact us page. The tell-a-friend or ask about form would have legitimate reasons for url's.

Share this post


Link to post
Share on other sites

Just a quick thank’s Jack for the Honeypot add-on,

All my new Edge sites contact us pages were being targeted by spammers. It started immediately they went live. Typicality about 10 different emails each would send between 10-50 spam emails per contact us page per site.

The server has Spamassassin active and hosting had active firewall for spam as well but they still got through.

I installed the Honeypot and almost immediate drop in spam. Its been about a week now and for each site still getting the 10 spam email but on each site only 1 of each coming through.

As you can see from the action recorded only a few getting through now, most come from Russia or Romania on my sites.

image.thumb.png.6e5f620ae78ba118e1d4efff645853d3.png


 

Share this post


Link to post
Share on other sites

Thanks for posting your findings. I'm glad that it helped. I'm curious what is in those emails. Did they have email addresses or url's that the code didn't catch?

Share this post


Link to post
Share on other sites

The ip address " 46.161.9.56" on the "dog ate homework" you show is in the ip addresses I blocked in my post above.  Since I blocked those 5 sets/blocks of ip addresses, I've only had one come through.  I did a block for it as it was Russia and haven't had any.  Seems most of these are coming from a few sets all based out of Russia and Ukraine.  Using CIDR you can get a group all at once.  I do this using the CSF, which is only at the server level, but those blocks could be blocked other ways.


I'm not really a dog.

Share this post


Link to post
Share on other sites
45 minutes ago, justcatering said:

They all had some silly links to iffy sites. This is a typical one.

I should have asked but do you have the option set to not allow url's? I tried submitting a form with one of those links in the email and it was blocked. If you have the no url option set then they must have a way of getting around the javascript.

Share this post


Link to post
Share on other sites

A new version has been uploaded. The code preventing email addressess and url's in contact us message has been changed. The previous code would allow them through in some situation.

Share this post


Link to post
Share on other sites

A new version has been uploaded with these changes:

  • Added validation checking on the contact us page via php code to prevent spammers that get by the javascript.
  • Changed the checking code in contact us for pre-2.3 shops since it would still allow sending an email if Honeypot verification failed.

 

 

Share this post


Link to post
Share on other sites

I added this to contact_us and it seems to be working. I'm trying to add this to create_account and I'm missing something. 

I tried changing ...

<?php echo tep_draw_form('create_account', tep_href_link(FILENAME_CREATE_ACCOUNT, '', 'SSL'), 'post', 'onsubmit="return check_form(create_account);"', true) . tep_draw_hidden_field('action', 'process'); ?>

to...

<?php //BEGIN HONEYPOT ?>
<?php echo tep_draw_form('create_account', tep_href_link('create_account.php', 'action=send'), 'post', ' onsubmit="return validateMyForm();" class="form-horizontal"', true); ?>
<?php //END HONEYPOT ?>

What am I missing? Store version is 2.3.4. It's clearly not the same type of change as the contact form. I'm obviously not great with php, but just trying to help a friend that is getting hammered with thousands of new fake accounts a day. Currently I have the page set as a BAK file instead of php so they cant get it. I was able to ban a few cullprit IP's that I found in the log and slow it down, but there were still random fakes coming in until I changed the file extension.

Any help would be greatly appreciated.

Edited to add. I did put this code in place, but even after changing the line verify it was working or not, I was still able to create test accounts.

FIND:

  <div class="buttonSet">

ADD ABOVE IT:  
  
  <?php //BEGIN HONEYPOT ?>
  <div style="display:none;">
    <label>Keep this field blank</label>
    <input type="text" name="honeypot" id="honeypot" />
  </div>
  <?php //END HONEYPOT ?> 

 

Edited by ericksaint

Share this post


Link to post
Share on other sites

It looks like you are using the code from the contact us page and changing it for the create account page. As you've discovered, that won't work. Try changing the line you mentioned to

<?php echo tep_draw_form('create_account', tep_href_link(FILENAME_CREATE_ACCOUNT, '', 'SSL'), 'post', 'onsubmit="return validateMyForm();"', true) . tep_draw_hidden_field('action', 'process'); ?>

Also, this change won't stop fake accounts from being manually created. But if you are getting a large number created, then the spammers are probably using a script and, in that case, this change will help.

Share this post


Link to post
Share on other sites

Thanks! I'll give it a shot. They are definitely using a script there were a few hundreds added in minutes until I blocked the first offending IP, then they came back with another IP a few days later.

I'm guessing I still need to keep the code above the "buttonSet" correct?

Share this post


Link to post
Share on other sites

I swapped in the code above and the form works now, but when I swap in the "verify" code, I can still create test accounts. If i switch the display value to inline I can see the box with "some text" in it, but still lets me make accounts. :(

<input type="text" name="honeypot" value="some text" id="honeypot" />

 

Share this post


Link to post
Share on other sites

It is probably because the required javascript code is not present. If this shop has the ability to install modules in admin, then you need to install the Honeypot one in admin->Modules->Header Tags. If it doesn't, you need to add the code shown below to the file. Please note that the code shown is only for the create account page. There is code needed for the contact us page but it is different. You can search the included files in MS2 directory of the package to find the needed changes. They all are surrounded by begin and end honeypot statements.

<script>
 function validateMyForm(create_account) {
  var ok = check_form(create_account);
  
  if (! ok) return false;
  
  // The field is empty, submit the form.
  if(!document.getElementById("honeypot").value) { 
   return true;
  } 
  // the field has a value it's a spam bot
  else {
   return false;
  }
 }
</script>

 

Share this post


Link to post
Share on other sites

I'm about to admit defeat. I admittedly don't know much about PHP, and just help a guy that knows nothing, by copy and pasting repairs and adding modules for him as needed.

The module has been installed in header tags since I installed and got it working for the contact us page. Create account page is selected from the list in that module. I have tried adding the above script code in multiple places within the file,top of the code, bottom of the code, including above and below the changed line that adds the validateMyForm, inside the honeypot containers of the code added above buttonSet. 

As soon as I change the file from .BAK back to .php the site starts getting hammered with fake accounts again. I can't turn it back on again for long enough to test it myself, if I refresh the admin page I see all the new accounts within minutes. I can see them hitting it in the server logs too while that file extension is changed, but it returns an error because the file doesn't exist. I have banned about 20 ranges of IP's but since there are literally millions of those it's unreasonable and I cant even stay on top of it.

I might just have to try find a "I'm not a robot" module and get it installed, gotta be better than whats happening now. I wanted to try this because it seemed like a better solution,  but it has me defeated. And oddly enough, even with the new user module turned off, and the create account misnamed, some guy from Switzerland was able to create an account yesterday and place an order. How can that happen? Guest ordering is off. If you add something to the cart, the way it is now with new user turned off, it asks you to login. You don't need to have an account to checkout through paypal but I don't think  it can create an account that way. Is there some kind of back door, or something I don't have turned on/off.

 

Share this post


Link to post
Share on other sites

There are either two or three code changes required for the create account page for this to work, depending upon your version of oscommerce. Those changes are unique to the create account page. You can't mix and match the code from another page. There is a completed create account page included in the package. You can use a compare program like WinMerge to compare it with yours and search in that compare for "honeypot" to find the relevant sections. If you can't figure it out from that, please post your create account file here and I will take a look. Please post it as an attached zip file so as not to add needlessly to this threads length.

I don't understand what you are asking about the customer from Switzerland being able to create an account. This addon has nothing to do with who can create an account.

Share this post


Link to post
Share on other sites

Sorry, I'm not getting reply notification emails from this thread for some reason. I was able to get a recaptcha add on working and it has solved the immediate problem.

The reason I was asking about the person creating an account is because to stop the fake accounts I literally broke the create account page by renaming it to create_account.BAK and turning off the new user module, and somehow he still created an account and placed an order. If I went to the page it gave a 404 error,  rightfully so because technically the page didn't exist, so not sure how he was able to create an account.

I'll go trough the included files and do a compare when I have some more time to put towards the problem. Thanks for the help that you gave, it at least tells me where to look for a solution.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×