Jump to content
René H4

Fake accounts

Recommended Posts

look contact form. Make the same thing inside account

In contact form before the error === false, you must find the code
and i the end before the redirection, you will find another code.

Same thing in account

before error === false  include the same code and change contact by account

before the redirection, same thing include the code.

Don't forget to enable the module

test, if succes, cool, no, you make a mistake.



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Share this post


Link to post
Share on other sites

The code you must integrate : just change the element in function (contact_us)

    $actionRecorder = new actionRecorder('ar_contact_us', (tep_session_is_registered('customer_id') ? $customer_id : null), $name);
    if (!$actionRecorder->canPerform()) {
      $error = true;

      $actionRecorder->record(false);

      $messageStack->add('contact', sprintf(ERROR_ACTION_RECORDER, (defined('MODULE_ACTION_RECORDER_CONTACT_US_EMAIL_MINUTES') ? (int)MODULE_ACTION_RECORDER_CONTACT_US_EMAIL_MINUTES : 15)));
    }

    if ($error == false) {
....
      $actionRecorder->record();

      tep_redirect(tep_href_link('contact_us.php', 'action=success'));

and

 



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Share this post


Link to post
Share on other sites

Sorry but action recorder will kill all potential customers even if you wont use javascript page data validation before submits...
But I have read a very simple and good idea here:

Why dont you rename fields? its very simple and promising.
20 fake hidden field will close out for a life the robots.

Share this post


Link to post
Share on other sites
1 hour ago, tothcom said:

Sorry but action recorder will kill all potential customers even if you wont use javascript page data validation before submits...

What do you mean by this Gergely?  Won't you just limit how frequently one can access that page if you set up an action recorder module for it?

Dan

 

Share this post


Link to post
Share on other sites

Action recorder uses in contact us and other core implementations the customer id and/or user name to identify a user and store his uses of the form/submit action/login action in admin etc.

When a visitor tries to create an account only the content of the input fields could be used and compared to existing registries.

A hacker/malicious user/bot will change all data from attempt to attempt.

What data is left to register and compare: the visitors IP

But, any hacker/mailicious user will be able to change his IP from attempt to attempt. So no comparable data for action recorder is available.

Do I miss something?

Share this post


Link to post
Share on other sites
19 minutes ago, raiwa said:

Action recorder uses in contact us and other core implementations the customer id and/or user name to identify a user and store his uses of the form/submit action/login action in admin etc.

When a visitor tries to create an account only the content of the input fields could be used and compared to existing registries.

A hacker/malicious user/bot will change all data from attempt to attempt.

What data is left to register and compare: the visitors IP

But, any hacker/mailicious user will be able to change his IP from attempt to attempt. So no comparable data for action recorder is available.

Do I miss something?

If that's what they are doing, you are spot on as usual Rainer.   The ones I've seen on my site were only changing, as I recall, the email address but if everything is being changed I see the problem.

Dan

Share this post


Link to post
Share on other sites

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.  I also have it send me an email to notify me it's happened so I can track it.

//Added to block spammers
    if (strtolower($company_tax_id) == 'google') {
      $error = true;

      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If you info is correct and you are not a spammer please contact us or try again.");

      $spam_email_text = "Spammer Alert: " . $firstname . " " . $lastname . "Using company name: " . $company . " with tax id: " . $company_tax_id . " triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Spammer Alert:', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    }
//END Added to block spammers

 


I'm not really a dog.

Share this post


Link to post
Share on other sites
4 hours ago, Gyakutsuki said:

 before the error === false, you must find the code

 

3 hours ago, Gyakutsuki said:

 if (error == false) {

== and === are two different things. Which did you mean to use? == (and !=) is simple equality (inequality) with type conversion if necessary (0 and false match), while === (and !==) must also have the type match (0 and false do not match).

Share this post


Link to post
Share on other sites

$error === false is use with a boolean.



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Share this post


Link to post
Share on other sites
52 minutes ago, John W said:

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.

"False flag" fields are a common tool for spambot detection, but be careful if you use it -- a real customer might enter "N/A" or something else, fearing that it's needed. Some recommend that you make that field and its prompt invisible in some manner, but then it's still "seen" by a screen reader and even a sighted user might tab to it and wonder what's going on. So, like anything else in life, such fields are not foolproof (i.e., they may snag some legitimate customers). Spammers that use real people to do the signup may not be fooled at all.

Share this post


Link to post
Share on other sites

This is a field I use, but it has to have google entered into it for it to trigger.  I tested it pretty well, but one of the reasons I'm having it send me an email is so I know when it's being triggered.  This way I can look for false positives.  At first, I thought about using the company entry to look for Google since only spammers have entered it.   I'm also only giving the message stack a generic error message.  I got the idea for an email to me from the payment modules that send debug emails.

They also are using Jamaica as the country but entering city, states and zip codes.  So, a catch looking for Jamaica with a zip code could be used, especially since I don't ship there. 


I'm not really a dog.

Share this post


Link to post
Share on other sites
13 hours ago, John W said:

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.  I also have it send me an email to notify me it's happened so I can track it.


//Added to block spammers
    if (strtolower($company_tax_id) == 'google') {
      $error = true;

      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If you info is correct and you are not a spammer please contact us or try again.");

      $spam_email_text = "Spammer Alert: " . $firstname . " " . $lastname . "Using company name: " . $company . " with tax id: " . $company_tax_id . " triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Spammer Alert:', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    }
//END Added to block spammers

 

SPOT ON! 

I think this will work for me also.

It looks like an easy fix, which (up to now) will stop all my fake account creations.....

 

Share this post


Link to post
Share on other sites

@honda4

Just to be sure you are aware. The entry for company_tax_id isn't in stock OSC, but is part off the SPPC addon. 


I'm not really a dog.

Share this post


Link to post
Share on other sites
2 minutes ago, John W said:

@honda4

Just to be sure you are aware. The entry for company_tax_id isn't in stock OSC, but is part off the SPPC addon. 

John, I get that. I have just patched the create_account.php file with your code, made some minor changes to it (like check on "company") and it works for now.

Thanks for the input, this is by far the best solution for this moment.

Until the BOTs come up with other things ofcourse... 🙂

 

Share this post


Link to post
Share on other sites

I get the code but don't know where to to place it in the create_account.php file.  I stuck it where it seamed appropriate (2 different places .. one at a time for testing) but it no worky.  So any guidance would be appreciated.

Edited by videod

Share this post


Link to post
Share on other sites

In addition

1.  Rename file  create_account.php

2. Rename in application_top.php tep_session_name  ->  myNameSid

My practice

Edited by ruden

Share this post


Link to post
Share on other sites
11 hours ago, videod said:

I get the code but don't know where to to place it in the create_account.php file.  I stuck it where it seamed appropriate (2 different places .. one at a time for testing) but it no worky.  So any guidance would be appreciated.

Which code are you talking about?  If it's what I posted, you have to have SPPC installed for that field to be in create_account.  I put my block after the lines below and it's worked perfectly without any false positives.

    if (is_numeric($country) == false) {
      $error = true;

      $messageStack->add('create_account', ENTRY_COUNTRY_ERROR);
    }

 


I'm not really a dog.

Share this post


Link to post
Share on other sites
3 hours ago, John W said:

Which code are you talking about?  If it's what I posted, you have to have SPPC installed for that field to be in create_account.  I put my block after the lines below and it's worked perfectly without any false positives.


    if (is_numeric($country) == false) {
      $error = true;

      $messageStack->add('create_account', ENTRY_COUNTRY_ERROR);
    }

 

Yeah that code.  I revised it since I don't use SPPC.  I put it where you said to and it works like a charm!! Thank you very very much!!

Share this post


Link to post
Share on other sites
8 hours ago, ruden said:

In addition

1.  Rename file  create_account.php

2. Rename in application_top.php tep_session_name  ->  myNameSid

My practice

Thank you that will definitely be part of my best practices from now on.  Makes good sense.  Thank you!!

Share this post


Link to post
Share on other sites

i have this in my create_account.php for 5minute emails and bad spam domains. maybe this could be done as a module also? i think the original contribution was from oscbooks.com back then..

    // BANNED EMAILS
    $emails = file(DIR_WS_INCLUDES . 'emails-banned.txt');
    for ($i=0, $n=sizeof($emails); $i<$n; $i++) {
        if (tep_not_null($emails[$i])) {
        $emaildomain = '@' . trim($emails[$i]);
            if (is_integer(strpos(strtolower($email_address), $emaildomain))) {
                $good_email = "no";
                break;
            }
        }
    }

    // Email Whitelist
    $emails = file(DIR_WS_INCLUDES . 'emails-whitelisted.txt');
    for ($i=0, $n=sizeof($emails); $i<$n; $i++) {
        if (tep_not_null($emails[$i])) {
            if (is_integer(strpos(strtolower($email_address), trim($emails[$i])))) {
                $good_email = "yes";
                break;
            }
        }
    }

    if ($good_email == "no") {
        $error = true;

        $messageStack->add('create_account', ENTRY_EMAIL_NOT_ALLOWED_ERROR);
    }
    // BANNED EMAIL EOF

 


 

 

Share this post


Link to post
Share on other sites

@honda4 Could you post the altered script you added that was based on Johns code, and where you placed it. It may then help others.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

Sure, all cfredits go to @John W:

On line 57 find:

    $error = false;

Right after that I added:

//Added to block spammers A
   if (strtolower($company) == 'google') {
    $error = true;
      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If your info is correct and you are not a spammer please contact us or try again.");
      $spam_email_text = "Spammer Alert: <b>" . $firstname . " " . $lastname . "</b> Using company name <b> " . $company . "</b> triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'BOT Spammer Alert!', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    } 
//Added to block spammers A

 

That's it.

No more fake account creations, and somehow the e-mails of them trying to have also stopped.

Looks like they see that it doesn't work.

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×