Jump to content
René H4

Fake accounts

Recommended Posts

Here's a handy page where one can generate all the IPs from certain countries in order to deny them using the .htaccess in the root publicHTML directory.

 

https://www.ip2location.com/free/visitor-blocker

The list can change monthly they say so it should regularly be updated.   Attached are three files with the IPs for Russian Federation, Ukraine, and Romania. 

Godspeed!

cidr-42ad401531138b251c776d4a9828caf2.txt

cidr-4aa923a7c7b7b7a7b89b93619d5d023d.txt

cidr-d930123d5118f7c9667ade610b0f7a20.txt

Share this post


Link to post
Share on other sites

That will work but the number of IP's you need to enter, especially if it is for more than one country, causes the .htaccess file to be quite large. And since that file has to be loaded and checked on every page load, that can slow the site down quite a bit. A better solution is to see if your host will install the GeoIP package. That allows the server to manage the blocks and is more efficient. If they won't, then install View Counter and use its country blocking option.

Share this post


Link to post
Share on other sites

p.s. I haven't noticed a slowdown on the site yet but I don't have a very high traffic clientele.

Share this post


Link to post
Share on other sites
18 hours ago, fiodh said:

I haven't noticed a slowdown on the site yet but I don't have a very high traffic clientele.

You may not. The average size of the root's .htaccess file is under 10-20 KB, in my experience. Adding the code to block the IP's of  multiple countries might increase it to 50 -80 KB. That's still a small file as file size goes but having to load it on every click on a busy site can make a difference. On slower sites, you may not see it. You can run a speed test (I prefer gtmetrix.com) with the blocking code removed and another with it added to see if changes much. I would expect a second or two at most. 

Share this post


Link to post
Share on other sites

This morning I am still fighting these accounts, after supposedly blocking all Russian Federation, they are still getting through. Crazy! I got the latest IPs and have blocked those too. Haven't had time to install view counter yet, it looks somewhat daunting.  How does view counter block the IPs vs. the .htaccess?

Share this post


Link to post
Share on other sites

Out of curiosity, do they all have Google for the company name?


I'm not really a dog.

Share this post


Link to post
Share on other sites
1 hour ago, fiodh said:

How does view counter block the IPs vs. the .htaccess?

It uses a database table.

Share this post


Link to post
Share on other sites

 

4 minutes ago, John W said:

Out of curiosity, do they all have Google for the company name?

My site doesn't use the company field.

Share this post


Link to post
Share on other sites
1 hour ago, fiodh said:

This morning I am still fighting these accounts, after supposedly blocking all Russian Federation, they are still getting through.

When you say they are getting through, do you mean new accounts are being created by the same IP or are they all individual accounts? As mentioned, one account per IP will always be possible.

Share this post


Link to post
Share on other sites

I am not getting many honeypot warning emails so I suspect they are using separate IPs.  I had fewer accounts this morning about 12 instead of 35 but they just made another few this last hour. I've blocked several IP ranges and a long list (shown above) but they are still coming.

Share this post


Link to post
Share on other sites

If you are comfortable changing the code, find this in the includes/functions/honeypot.php file

tep_db_query("insert into " . $db_table . " set " . $insert_sql_data);

and add this above it

           if (MODULE_HEADER_TAGS_HONEYPOT_CREATE_ACCOUNT_NOTIFICATION == 'True') {
               HoneypotNotify($cust);
           } 

You can add // before the two lines farther above that read

               HoneypotNotify($cust);

That will give you an email for all accounts that are created.

Share this post


Link to post
Share on other sites

Thank you, I will do that! Then I could ban every IP I receive.

Share this post


Link to post
Share on other sites

You could. But how will you know if the IP belongs to a legitimate customer or not?

Share this post


Link to post
Share on other sites

The fake customers all have stupid names, I never do business in "Albania" or Russia, and also, I have an extra field on my create account page "how did you find us" and the bot scripts never fill that one out, but everyone else does. So those accounts are obvious. What I am noticing today though is that they are using many different IPs and the list of banned addresses is going to get quite long by the looks of it. I will say, your Honeypot contribution has about halved the amount of accounts, thank you very much.

Share this post


Link to post
Share on other sites

"Albania"? Is that in quotes because you think it's a fake country name? Just curious... yes, it is ex-Soviet Bloc. Watch Wag the Dog.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Actually, I get his point.  When I was figuring out what to use to deny these guys, I thought about the country.  I only have 3 countries in my list, and the last one is Jamaica, but I very rarely sell to there.  Every one of the fake accounts was using Jamaica.  They put Google for company and google for tax id, so I picked the tax Id. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

Yes, yes, I know Albania is a country. I guess I put it in quotes to make it sound more far fetched that I would ever sell there. Wag the Dog was a great movie... or is it a documentary?  I am mostly US, UK, CA and AUS.  But if I remove extra countries, they are just going to use whatever is left.  Wish I could ban them by Tax ID like John did.

Share this post


Link to post
Share on other sites

Also you can use cloudflare free cdn which allows you to challenge based by country and block by ASN.


The water in a vessel is sparkling; the water in the sea is dark. The small truth has words which are clear; the great truth has great silence.

- Rabindranath Tagore

Share this post


Link to post
Share on other sites

While my code snippet was blocking all the attempts, I noticed there were increasing in the amount of attempts.  I started recording the ip addresses after noticing many started with 188.138.  However, after blocking 188.138.188.0/24 in my firewall, there has only been one in a few days.  In checking an abused ip db, that block shows up a lot. 


I'm not really a dog.

Share this post


Link to post
Share on other sites
19 hours ago, John W said:

While my code snippet was blocking all the attempts, I noticed there were increasing in the amount of attempts.  I started recording the ip addresses after noticing many started with 188.138.  However, after blocking 188.138.188.0/24 in my firewall, there has only been one in a few days.  In checking an abused ip db, that block shows up a lot. 

Just block Moldova .


The water in a vessel is sparkling; the water in the sea is dark. The small truth has words which are clear; the great truth has great silence.

- Rabindranath Tagore

Share this post


Link to post
Share on other sites

Blocking by  countries can make for big lists/files which can bog things down.  CSF firewall and Apache both advise that it can slow things down.  Plus, not always accurate.


I'm not really a dog.

Share this post


Link to post
Share on other sites
On ‎3‎/‎22‎/‎2019 at 12:50 PM, John W said:

CSF firewall and Apache both advise that it can slow things down.

As your host to enable ipset. It allows blocking large amounts of IP's at no cost to the server load. We have the temporary limit set to 20,000. There's about 3,000 currently blocked and the servers load hasn't changed at all.

Share this post


Link to post
Share on other sites

If your host can't (or won't) do something to block ranges of nasty IP addresses, it falls to you to take action. It does cost server load to block IP addresses in .htaccess, so keep that in mind (whether or not it is charged to your account). If you wait until your application gets the IP address and handles it, the cost is much higher. The bill will definitely be on your account, through PHP processing and database usage to look up the offender and decide to refuse to serve them. So, the further upstream you can push the blocking effort, the less you'll usually have to pay for it. Unfortunately, the Internet, Web, and servers were not designed with such matters in mind (e.g., no reliable "country of origin" field), and any sort of access control is glued on separately (and can often be gotten around, through proxies, etc.).

In the case of a forum or blog, where the propagation of content is the desired end, there isn't much you can do except to fully block offenders (up to and including denying any access at all). For a store, it might be worth waiting to block them until they get into a subsystem for content dispersal (tell-a-friend, reviews, contact us), and block them there. The idea is that relatively few visitors are going to make use of such subsystems, compared to ordinary shoppers. Just some thoughts.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×