Jump to content
Snarg

Removing fake customers

Recommended Posts

3 hours ago, burt said:

When joining two tables...if one side is broken...any software would react similarly.

Then either the wrong "JOIN" is being used for the purpose, or the resulting data needs to be validated (fixed) in some manner before being used (e.g., creating dummy array). It's still not robust code. Unfortunately, it's probably not trivial to fix it.

Share this post


Link to post
Share on other sites
On 1/14/2019 at 5:04 PM, Jack_mcs said:

It stops 100% of spam by bots on the contact us page

Happy to report installed @Jack_mcs HoneyPot yesterday and this morning problem site has seen a 90% reduction in spam. The stuff still getting in is geting past Google reCaptcha as well so I think the sod's are doing manual spamming as well. Still very happy with results. Thanks Jack :thumbsup:


 

Share this post


Link to post
Share on other sites
On 1/14/2019 at 9:04 AM, Jack_mcs said:

See the Honey Pot addon. There are only a few changes needed. It stops 100% of spam by bots on the contact us page and is completely transparent to the customer.

Jack, does this add on also work on the account creation page?

Share this post


Link to post
Share on other sites
2 minutes ago, Snarg said:

account creation page?

Yes Jack provides the edits for 3 pages, But you can add code to other pages.

image.png.19f52a95b1c90591a9e75f8fcce6389a.png


 

Share this post


Link to post
Share on other sites
6 hours ago, burt said:

When joining two tables...if one side is broken...any software would react similarly.

In my testing I could not get the code to break by simply removing data or messing data up in either the customer table , customer_info tabel or both.. The code just simply did not allow you to select the broken customer in admin/ customer  So in Frozen which is what I did the testing the code is fine. Must be somthing else going on.


 

Share this post


Link to post
Share on other sites

This issue has become a big annoyance in the last 4 weeks.

I have had about 30 accounts a day created that are obvious bots, starting just before Xmas 2018. (Create account)

I solved it (currently) without yet implementing the honey pot trap but am unwilling to publish it explicitly online for obvious reasons.

Suffice to say I deleted the gender question many years ago due to customer complaints about the question. (trans-gender sensitivities I assume)

If the field is still now sent despite not now being on the form you can assume its a bot.

From my investigations it is probably only 1 or 2 bots currently causing the problem.

Personally, I detected all the account's and deleted from the admin panel. I did not want to just delete via PHP-My-admin because of possible field link issues.

If they get more adventurous I will have to install jacks honeypot trap.

Thanks Jack_mcs.

 

 

 

 

Share this post


Link to post
Share on other sites
Quote

If the field is still now sent despite not now being on the form you can assume its a bot.

Maybe if they're fembots or manbots, they're proud of their gender? cf. Futurama.

Quote

From my investigations it is probably only 1 or 2 bots currently causing the problem.

Comparing against your hosting access log, if you can find specific bot names you might be able to ban them entirely via .htaccess. No guarantee that you'll be able to get a unique name, but you can also ban on referring site name. Of course, they can always just switch to a new host or bot, but at least you've inconvenienced them.

Share this post


Link to post
Share on other sites

I am not sure if this has been said, but:

Would a pop-up window with a check box not work to prevent fake accounts to be created?

In the popup window one could ask to accept the tems in general. Aster pressing OK the account would be created...

Just an idea.

Share this post


Link to post
Share on other sites
15 minutes ago, honda4 said:

Would a pop-up window with a check box not work to prevent fake accounts to be created?

See the MATC BS addon. I don't think that will do it though because the spammers script don't submit by clicking a button (tiny little hands, I suppose. :) ) I have the changes made to Honey Pot and are testing them now in live shops. I'll try to get it uploaded within the next few days unless problems are found. I think it will reduce a lot of these accounts.

Share this post


Link to post
Share on other sites

Using google and jacks honeypot I have reduced the fake accounts and spam by about 90% what is still geting in is not bots as the time line now shows they are 30min apart the setting for my limit so I think now I'm left with just the human sod's entering it manualy.


 

Share this post


Link to post
Share on other sites

Had the same fake account issue, using honeypot, had jack_mcs install for me, works great!

Using these settings:

Add Honey Pot captcha to the specified pages.


Enable Grid List javascript
True

Pages
contact_us.php
create_account.php
tell_a_friend.php

Sort Order
0

Email Addresses Allowed
False

Email Addresses Show Message
True

URL's Allowed
False

URL Show Message
True

Create Account Check
True

Create Account Count
3

Create Account Period
10

Create Account Notify
True

Exclude IP's - Put your IP here if you need to create accounts for customers

Thanks Jack!
Sonny

Edited by s0nny61

Share this post


Link to post
Share on other sites

Have this same issue. There is obviously a program flaw. This is definitely a bot. Some similarities in all fake new customers show it to be so. For example Geographical regions do not match up for example the customer will be in New York USA Russia. This also points out a second commonality the state/province is almost always if not always a country. Also all fake users have a phone and fax numbers, bots can't help themselves but to fill in all the blanks. It would be great if the exploit could be discovered and repaired. I have to admit I have been using OSC for around a decade and have loved it; but this breach has me reconsidering. Development on the product seems to have stalemated and now issues like these.

If honeypot works, I see it is javascript does it require the java client to work and how is this going to be affected with the death of the free java client.

Share this post


Link to post
Share on other sites

Java and Javascript are two entirely different things. What Oracle does to strangle free Java (if anything) is unrelated to Javascript running on your browser. Unless honeypot is definitely using Java code in the background to do something (I haven't looked at the code), I wouldn't worry about it.

Share this post


Link to post
Share on other sites

To prevent bots you might be able to add something like this in the create_account.php

 

$bot = tep_db_prepare_input($HTTP_POST_VARS['bot']);

if( isset( $bot ) AND $bot != '' ) {
        $error = true;
        $messageStack->add('create_account', 'Youre probably not a human');
      }

And add the input fields

<div style="display:none;">
<?php echo tep_draw_input_field('bot');
?> 
</div>

 

Share this post


Link to post
Share on other sites
3 hours ago, redrum said:

To prevent bots you might be able to add something like this in the create_account.php

Yes, that will work to some extent. It is partly what Honeypot uses.

Share this post


Link to post
Share on other sites
3 hours ago, Jack_mcs said:

Yes, that will work to some extent. It is partly what Honeypot uses.

I only did a quick check at Honeypot, and it looks like you only use javascript to check the hidden field. Perhaps you should add something like my suggestion above.

Share this post


Link to post
Share on other sites
9 hours ago, redrum said:

I only did a quick check at Honeypot, and it looks like you only use javascript to check the hidden field.

You didn't look close enough. It does use php.

Share this post


Link to post
Share on other sites
On 10/25/2019 at 4:07 AM, Jack_mcs said:

You didn't look close enough. It does use php.

Ok, sorry my bad then :)

For information, I tried to just implant my suggested code for now, and it seemes to work.

Share this post


Link to post
Share on other sites

One thing I noticed that might not be that easy to see is when you have fake customers in your database, the spam bots asking for new password.

So when you have secured the site its a good idea is to remove all the fake customers or secure password_forgotten.php

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×