Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HoneyPot Captcha


Jack_mcs

Recommended Posts

This isn't a question that should be asked in a support thread. You may want to open a new one. But I'll reply to it just this once.  If you renamed the file create_account.BAK.php, it is still usable. If it was renamed create_account.php.BAK, it wouldn't be. But there is also the possibility the Purchase Without Account addon is installed and it may use its own create account file. Or the hacker has gained access to the database, or admin if create orders is installed, and did it that way. There are probably other possibilities but without knowing more about the site, I can't say.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 4 months later...

Hi there

I have been trying out the honeypot on my site and have it set up with not allowing urls.

I have tested it and if I try to use a url it is blocked

However this morning I received spam with urls in it.

I am a bit puzzled.

i wondered if you could offer any ideas as to what may be going on.

 

Doug

 

Link to comment
Share on other sites

@douglaswalker The settings you mention only apply to the contact us page. If you have made the required change to the contact us page then even if the javascript code was not added to the site, it would stop those emails since the php in the code is checking the message. So it sounds like you may have missed that change.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 1 month later...

@Jack_mcs hey Jack, I'm trying this addon out to help reduce a number of spam accounts being created - and hoping not to have to resort to a captcha solution.

So far it hasn't help this specific spammer - he's skipping the new hidden field. I presume it will help prevent future spammers however......

I'm wondering if changing your code around slightly may work?

So far, every spam account is created has the company name "google" - all lower case without the quotes.

Do you think adding an id=google to the company entry could work (I have no worry Google not my customer... lol) and if so - how could I validate that is says google?

<script type="text/javascript">
function validateMyForm(create_account) {
  var ok = check_form(create_account);
  if (! ok) return false;
  return IsSpammer();
}       
function IsSpammer() {
  if(!document.getElementById("google").value) {   // The field is empty, submit the form.
    return true;
  } else {   // the field has a value it's a spam bot
    return false;
  } 
} 
</script>

 

Link to comment
Share on other sites

That wouldn't work as it is. The getElementById( function is checking this line

<input type="text" name="honeypot" id="honeypot" />

The id in that line is honeypot and your change is telling the code to look at the line that has an id of google. So if you want to make that change you would need to change the above to

<input type="text" name="honeypot" id="google" />

But I think what you want to do is check for the company so change this

  if(!document.getElementById("honeypot").value) { 
   return true;
  } 

to

  if(!document.getElementById("honeypot").value) { 
   return true;
  } 
  
  else if ((document.getElementsByName("company")[0].value) == 'google') {
      return true;
  }

I haven't tested it but I think it will do what you want.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@Jack_mcs thanks so much... so this?

function IsSpammer() {
  if(!document.getElementById("honeypot").value) {   // The field is empty, submit the form.
    return true;
  } else if ((document.getElementsByName("company")[0].value) == 'google') {
      return true;
  } else {   // the field has a value it\'s a spam bot
    return false;
  } 
} 

 

Link to comment
Share on other sites

On 12/14/2018 at 9:12 PM, Jack_mcs said:

Yes, that's correct.

Can't quiet get this working Jack

Sorry to bug for any more assistence - here is the HTML for the Company Name

    <div class="form-group">
      <label for="inputCompany" class="control-label col-sm-4">Company Name</label>
      <div class="col-sm-8">
        <input type="text" name="company" id="inputCompany" placeholder="Company Name" class="form-control" /><!-- BOF Separate Pricing Per Customer: field for tax id number
		<!-- EOF Separate Pricing Per Customer: field for tax id number -->
		
      </div>
    </div>

And the IsSpammer function, I'm not sure... but it's still validating the form with or without the company name being "google". For the value I've tried both "google" and \'google\'.

function IsSpammer() {
  if(!document.getElementById("honeypot").value) {   // The field is empty, submit the form.
    return true;
  }   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;
  } else {   // the field has a value it\'s a spam bot
    return false;
  } 
} 

 

Link to comment
Share on other sites

The return value is wrong. Change

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;

to

}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return false;

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

On 12/17/2018 at 11:36 AM, Jack_mcs said:

The return value is wrong. Change


}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return true;

to


}   else if ((document.getElementsByName("company")[0].value) == \'google\') {
      return false;

 

Wow, this spammer just won't go away.... I'm not sure you can help me any more @Jack_mcs

I'm currently trying to use the pattern variable with a negative regex on the company input to validate the form - it works when I test it:

pattern="^(?!google$).*"

But he is still able to get around it - or at least able to create the account. Looking at Track Delivery in cPanel the email is still going out and being received.

Link to comment
Share on other sites

I don't think that is a good approach to the problem. Even if you get it to work, he might decide to start using Bing as a company and that will break the script.

In the latest version of View Counter (not released), I record the persons IP when an account is created. Then if that IP is used to create another account and if the time between the two is too small, as decided by a setting, the account is denied and the IP is emailed to the shop owner in case he wants to ban that IP. I've ran across this problem many times before and, in my experience, the only thing that is consistent each time is the IP.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@Jack_mcs thanks again Jack, this is going off topic for your support thread... Mods, please feel free to move this to its own discussion.

Yes, the bot is clearly not using a "browser" anyway to input the values so using a regex HTML5 form to validate is, as you suggest, not a good idea.

I deliver the site via Cloudflare, so I'm a little surprised they can even get to the site - almost every Proxy IP I've tried from eastern EU lands on Clouldflare's reCaptcha2 page.

SOOO, what I have succeeded in doing so far is pissing the spammer off! They've gone from creating 2-4 accounts per day to 2-4 accounts per hour.

Good news, on the create account page I use GEO targeting to enter the Country by IP - so (I think) I'm getting an accurate country for each account.

I'm now using htaccess (with Cloudflare's CF-IPCountry) to block large area's of the world like:

Quote

SetEnvIf CF-IPCountry RU BuzzOff=1
SetEnvIf CF-IPCountry TR BuzzOff=1
SetEnvIf CF-IPCountry FR BuzzOff=1
SetEnvIf CF-IPCountry KE BuzzOff=1
SetEnvIf CF-IPCountry MO BuzzOff=1
SetEnvIf CF-IPCountry NL BuzzOff=1
SetEnvIf CF-IPCountry HU BuzzOff=1
SetEnvIf CF-IPCountry MN BuzzOff=1
SetEnvIf CF-IPCountry FR BuzzOff=1
SetEnvIf CF-IPCountry ZA BuzzOff=1
Order allow,deny
Allow from all
Deny from env=BuzzOff 

So far so good.... I add a new country every time they create an account....

99.8% of our business is from Canada and USA - so no worries really..... but would like to think this is temporary.

Edited by greasemonkey
Link to comment
Share on other sites

There was a thread on this in the Cpanel forums and some of the ips will blur like that but you won't likely have any that show Russia or Ukraine that are CA or US. 

Edited by John W

I'm not really a dog.

Link to comment
Share on other sites

On ‎12‎/‎24‎/‎2018 at 11:03 AM, mcbsolutions said:

any spammer using gmail.com

The following code will block any emails from gmail but if you truly mean to block "any spammer" from gmail, I don't think that is possible since spam can be a simple message saying "hello". But to block all emails from gmail, find

if (!tep_validate_email($email_address)) {

and change it to

$fail = (strpos($email_address, 'gmail') !== false ? true : false);
if ($fail || !tep_validate_email($email_address)) {

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

A new version has been uploaded with these changes:

  • Changed the url search code to only look at the protocol and to check for named protocols.
  • Changed the position of the error variable to make it global for the contact us page for pre-2.3 shops.
  • Removed global option search that could fail in some cases.

The first change is an important one because Russian spammers are starting to use the tld рф. There will probably be more to follow as the use of such tld's increase. The change to the code makes it so tld's are ignored so any url should be caught now. Please report any emails that get through with url's.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 3 weeks later...

recently installed this, and it has block most of the URL'S coming through, the ones it did not stop just had, the domain name in.

e.g. instead of something like https://www.oscommerce.com they would just put oscommerce.com 

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

I thought I had tested that possibility but maybe not. But to be clear, the blocking of url's only occurs on the contact us page. If that is where the email was submitted, please show the actual contents of the email so I can test it here. You can change the domain name if you like.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

one message was in Russian (i think) with the email at the end in the same format as above
the other two had Hey Look what we possess in the service of you!, then some other text then end with the url.

I have noticed since installing this on Thursday afternoon, that the spammers have changed from having http:://ww. part in, to removing it (could just be different spammers)

only had three so far.

i sent a PM with the actual emails in them

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

Thanks for that. I tried it here and it got through as you said. I'll change the code to fix that in the next version.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

A new version has been uploaded with these changes:

  • Added option to block account creation based on thr number of accounts and/or time accounts added.                  
  • Added back some of the url checking removed in the last update to catch stragglers.
  • Removed the PWA code in the create account page for pre-2.3 shops since it did not apply to this addon.

This version aims to prevent the account creation of many accounts by scripts. There are two ways it does that.

First, you can set a count for how many accounts may be created. So if it is set to 2, each customer can only create 2 accounts. If your site has legitimate customers that need more accounts, then don't use this setting or set it higher.

Second, the code records the IP of the account creator as well as the time the account was created. If another create account is attempted by that IP in the time entered in the settings, the account won't be created.

Both of the above can be used together or alone.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...