Jump to content
Latest News: (loading..)
honda4

Fake accounts

Recommended Posts

look contact form. Make the same thing inside account

In contact form before the error === false, you must find the code
and i the end before the redirection, you will find another code.

Same thing in account

before error === false  include the same code and change contact by account

before the redirection, same thing include the code.

Don't forget to enable the module

test, if succes, cool, no, you make a mistake.



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element
 

 

Share this post


Link to post
Share on other sites

The code you must integrate : just change the element in function (contact_us)

    $actionRecorder = new actionRecorder('ar_contact_us', (tep_session_is_registered('customer_id') ? $customer_id : null), $name);
    if (!$actionRecorder->canPerform()) {
      $error = true;

      $actionRecorder->record(false);

      $messageStack->add('contact', sprintf(ERROR_ACTION_RECORDER, (defined('MODULE_ACTION_RECORDER_CONTACT_US_EMAIL_MINUTES') ? (int)MODULE_ACTION_RECORDER_CONTACT_US_EMAIL_MINUTES : 15)));
    }

    if ($error == false) {
....
      $actionRecorder->record();

      tep_redirect(tep_href_link('contact_us.php', 'action=success'));

and

 



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element
 

 

Share this post


Link to post
Share on other sites

Sorry but action recorder will kill all potential customers even if you wont use javascript page data validation before submits...
But I have read a very simple and good idea here:

Why dont you rename fields? its very simple and promising.
20 fake hidden field will close out for a life the robots.

Share this post


Link to post
Share on other sites
1 hour ago, tothcom said:

Sorry but action recorder will kill all potential customers even if you wont use javascript page data validation before submits...

What do you mean by this Gergely?  Won't you just limit how frequently one can access that page if you set up an action recorder module for it?

Dan

 

Share this post


Link to post
Share on other sites

Action recorder uses in contact us and other core implementations the customer id and/or user name to identify a user and store his uses of the form/submit action/login action in admin etc.

When a visitor tries to create an account only the content of the input fields could be used and compared to existing registries.

A hacker/malicious user/bot will change all data from attempt to attempt.

What data is left to register and compare: the visitors IP

But, any hacker/mailicious user will be able to change his IP from attempt to attempt. So no comparable data for action recorder is available.

Do I miss something?

Share this post


Link to post
Share on other sites
19 minutes ago, raiwa said:

Action recorder uses in contact us and other core implementations the customer id and/or user name to identify a user and store his uses of the form/submit action/login action in admin etc.

When a visitor tries to create an account only the content of the input fields could be used and compared to existing registries.

A hacker/malicious user/bot will change all data from attempt to attempt.

What data is left to register and compare: the visitors IP

But, any hacker/mailicious user will be able to change his IP from attempt to attempt. So no comparable data for action recorder is available.

Do I miss something?

If that's what they are doing, you are spot on as usual Rainer.   The ones I've seen on my site were only changing, as I recall, the email address but if everything is being changed I see the problem.

Dan

Share this post


Link to post
Share on other sites

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.  I also have it send me an email to notify me it's happened so I can track it.

//Added to block spammers
    if (strtolower($company_tax_id) == 'google') {
      $error = true;

      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If you info is correct and you are not a spammer please contact us or try again.");

      $spam_email_text = "Spammer Alert: " . $firstname . " " . $lastname . "Using company name: " . $company . " with tax id: " . $company_tax_id . " triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Spammer Alert:', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    }
//END Added to block spammers

 


I'm not really a dog.

Share this post


Link to post
Share on other sites
4 hours ago, Gyakutsuki said:

 before the error === false, you must find the code

 

3 hours ago, Gyakutsuki said:

 if (error == false) {

== and === are two different things. Which did you mean to use? == (and !=) is simple equality (inequality) with type conversion if necessary (0 and false match), while === (and !==) must also have the type match (0 and false do not match).


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

$error === false is use with a boolean.



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

Tuto for 2.4 :
- How to Display a new page with app
- How to make Header Tags under app APP
- How to make a
boostrap modal with external element
 

 

Share this post


Link to post
Share on other sites
52 minutes ago, John W said:

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.

"False flag" fields are a common tool for spambot detection, but be careful if you use it -- a real customer might enter "N/A" or something else, fearing that it's needed. Some recommend that you make that field and its prompt invisible in some manner, but then it's still "seen" by a screen reader and even a sighted user might tab to it and wonder what's going on. So, like anything else in life, such fields are not foolproof (i.e., they may snag some legitimate customers). Spammers that use real people to do the signup may not be fooled at all.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

This is a field I use, but it has to have google entered into it for it to trigger.  I tested it pretty well, but one of the reasons I'm having it send me an email is so I know when it's being triggered.  This way I can look for false positives.  At first, I thought about using the company entry to look for Google since only spammers have entered it.   I'm also only giving the message stack a generic error message.  I got the idea for an email to me from the payment modules that send debug emails.

They also are using Jamaica as the country but entering city, states and zip codes.  So, a catch looking for Jamaica with a zip code could be used, especially since I don't ship there. 


I'm not really a dog.

Share this post


Link to post
Share on other sites
13 hours ago, John W said:

I've had a few of these in the last month with some different names, but they enter Google for company and google for company tax id each time.  I know not company tax id isn't stock code, but I added this to block spammers and I can add more to it if I need.  Most regular customers don't enter a tax id, but only spammers enter google for it.  I also have it send me an email to notify me it's happened so I can track it.


//Added to block spammers
    if (strtolower($company_tax_id) == 'google') {
      $error = true;

      $messageStack->add('create_account', "You have triggered spamming prevention rules.  If you info is correct and you are not a spammer please contact us or try again.");

      $spam_email_text = "Spammer Alert: " . $firstname . " " . $lastname . "Using company name: " . $company . " with tax id: " . $company_tax_id . " triggered spam alert.";
      tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Spammer Alert:', $spam_email_text, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
    }
//END Added to block spammers

 

SPOT ON! 

I think this will work for me also.

It looks like an easy fix, which (up to now) will stop all my fake account creations.....

 


Not too experienced, but very willing to learn.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×