Jump to content
puggybelle

Can I limit the number of words entered in account creation?

Recommended Posts

I'm using 2.3.4.1 CE with PHP 7.0

Recently, I'm seeing an increasing number of fake accounts created with long sentences for First and Last Name, like the latest one:

customers.JPG.862f36e31227c44ae1e436aa4ea099e8.JPG

The second name is a real account created with a first and last name (erased).  The first one speaks for itself.

I'm sure there's a way to limit the number of characters in the input fields, but...what about the number of words?

Like...one word for first name (maybe two max?) and one for last name.  I'm seeing more and more of this lately. 

Nothing urgent...just asking!  Thanks!

- Andrea

Share this post


Link to post
Share on other sites

I think limiting the length of names is not going to do much in stopping people from creating fake accounts. These people will still hack the system with short names.

Best is install captchas. 

Share this post


Link to post
Share on other sites

@kgtee

Hi!  I expect you're right.  I do have Honeypot Captcha installed, nothing more.

Most of the fake accounts are a little more promotional text oriented....lots of references to invest-in-Bitcoin lately.

Big long sprawling text for the first and last name which ends up looking like an advertisement or something.  The one I posted was pretty slack, really.

The IP addresses are mostly coming from Ukraine.  Stuff like this is never-ending, it seems!

Thanks for replying to my post, I appreciate it!

- Andrea

Share this post


Link to post
Share on other sites

Hi @puggybelle

There is an extensive discussion here.

 

The conclusion sounds like Google Recaptcha-2 is the most effective captcha to stop those fake accounts. Give that a try! Cheers!

Share this post


Link to post
Share on other sites
7 hours ago, kgtee said:

Hi @puggybelle

There is an extensive discussion here.

 

The conclusion sounds like Google Recaptcha-2 is the most effective captcha to stop those fake accounts. Give that a try! Cheers!

 

Same issue here but not so intensive as other users are describing it.

Using Recaptcha in create_account

In admin/customers.php i have modified the search
Mostly the spammers uses companies like google - easier to track down and deleted many - hth

<?php
    $search = '';
    if (isset($_GET['search']) && tep_not_null($_GET['search'])) {
      $keywords = tep_db_input(tep_db_prepare_input($_GET['search']));
      $search = "where c.customers_lastname like '%" . $keywords . "%' or c.customers_firstname like '%" . $keywords . "%' or c.customers_email_address like '%" . $keywords . "%' or a.entry_company like '%" . $keywords . "%' or c.customers_telephone like '%" . $keywords . "%'";
    }


Getting the Phoenix off the ground

Share this post


Link to post
Share on other sites

I've been getting hit all day long with fake accounts like this (and the following was all inserted in the first name field only!)

"Exactly how would certainly you utilize $87264 to make even more cash: https://get-xxx-xxx-xxxx.blogspot.nl

And then even more to follow in the last name field in create_account.php

I think it's ridiculous that those fields are even set up to allow that many characters to start with...255?  That's nuts!

I put a little maxlength="16" in those forms to act as a deterrent.  No sooner than you start typing away...it's over.  Your cursor just gets stuck in place.

I have to think fake accounts like this are done with the hope of me visiting their urls, well...gosh, what a shame if you can't complete them anymore.

Have a nice day!

- Andrea

 

Share this post


Link to post
Share on other sites
On ‎10‎/‎22‎/‎2019 at 10:42 PM, puggybelle said:

Recently, I'm seeing an increasing number of fake accounts created with long sentences for First and Last Name, like the latest one:

The latest version of Honey Pot has an option for this, as well as several other new options. I will try to get it uploaded this weekend.

Share this post


Link to post
Share on other sites

If my database entries in the customers table look like this:

database.JPG.663704246bf0ccc5467166b5cef8babc.JPG

Does the number 16 mean that is the maximum number of characters that can be stored when creating an account?

Because I woke up to this today:

halloween.JPG.199a148dd0087ede4985f31900f1078c.JPG

And plenty more to follow those.  How is that possible?

Just trying to learn and understand what is happening.  My remedies to stop it are obviously not working.

- Andrea

Share this post


Link to post
Share on other sites
11 minutes ago, puggybelle said:

Just trying to learn and understand what is happening.  My remedies to stop it are obviously not working. 

Changing the length input accepted will not help. Install this and you will see a 99% reduction over night. osC is beeing targeted by both spam bot's and human spamers.

reCAPTCHA-2 Form Validation for BS Edge

No easy solution to this you have to lock all forms on your site.

Edited by JcMagpie

 

Share this post


Link to post
Share on other sites

here is why it's happening. I get offers like this everyday.

Hi! ******************
 
Have you ever heard that you can send a message through the contact form? 
These forms are located on many sites. We sent you our message in the same way, and the fact that you received and read it shows the effectiveness of this method of sending messages. 
Since people in any case will read the letter received through the contact form. 
Our database includes more than 35 million websites from all over the world. 
The price of sending one million messages 49 USD. 
There is a discount program for large orders. 
 
Free test mailing of 50,000 messages to any country of your selection. 
 
This offer is created automatically. Please use the contact details below to contact us. 
 
Contact us. 
Telegram - @Feed*****FormEU 
Skype Feed*****Form2019 
Email - *****************
Edited by JcMagpie

 

Share this post


Link to post
Share on other sites

Hi @JcMagpie - Happy Halloween!

I'll try out that other reCaptcha - I'm just trying to rationalize how they can exceed 16 characters when the database says...16.  Only 16.

Right? 

Share this post


Link to post
Share on other sites
29 minutes ago, puggybelle said:

Does the number 16 mean that is the maximum number of characters that can be stored when creating an account?

It should, but I'm kind of suspicious that they did something funky to handle multibyte characters.  I note that your strings are still limited.  It looks like to 32 characters.  So they may have set it to handle 32 bytes on the theory that on average that will be enough to hold 16 characters.  Or they converted to UTF-16 in the storage, which can hold any value that can be represented as UTF-8 as two bytes.  Or something even funkier. 

Stack Overflow suggests that you may find names that are longer than those limits. 


Always back up before making changes.

Share this post


Link to post
Share on other sites
28 minutes ago, JcMagpie said:

reCAPTCHA-2 Form Validation for BS Edge

Can this be used in conjunction with Honeypot Captcha?

Share this post


Link to post
Share on other sites
36 minutes ago, JcMagpie said:

Changing the length input accepted will not help.

I'm curious why you think this? I have the limit in the unreleased version of Honey Pot and it stops the account creation if names have more words than in the settings.

Share this post


Link to post
Share on other sites
10 minutes ago, puggybelle said:

Can this be used in conjunction with Honeypot Captcha?

The new version of Honey Pot has captcha as an option.

Share this post


Link to post
Share on other sites
8 minutes ago, Jack_mcs said:

I'm curious why you think this?

From my testing it made no change . I have honey pot and google recapatch running between them 99% of bot's were stopped niether stoped the human idiots, they still spam but it in much smaller numbers, Also what helped was setting the time to about 30 min before they can resubmit in admin.

Fake account down to less than 1 per week and it's clear this is human. The contact_us form ( it's the only one I have active) is still under attack but again down to a few a day now.


 

Share this post


Link to post
Share on other sites

very simple, 

look in your customer varchar

3 customers_firstname varchar(40) utf8_unicode_ci 

4 customers_lastname varchar(40) utf8_unicode_ci

 

make it 20 or whatever number of words you would like

Share this post


Link to post
Share on other sites
25 minutes ago, Kevin.Dallas said:

varchar(40) utf8_unicode_ci

So 40 does not represent characters...it represents the number of words

Is that what you're saying?

Share this post


Link to post
Share on other sites

characters = words define how many characters  in the word, for example, in word has 5 characters  then set varchar(40) to varchar(5) 

Share this post


Link to post
Share on other sites
16 minutes ago, puggybelle said:

So 40 does not represent characters.

Just be carefull as if you change the length  too short could  bugger up all the data in your db.


 

Share this post


Link to post
Share on other sites
1 minute ago, JcMagpie said:

Just be carefull as if you change the length  too short could  bugger up all the data in your db.

I understand.  I really don't like messing with the database. 

Think I'll just sit and wait for Jack's new version of Honeypot. 

Share this post


Link to post
Share on other sites
2 minutes ago, puggybelle said:

I understand.  I really don't like messing with the database. 

Think I'll just sit and wait for Jack's new version of Honeypot. 

i would max set it 40 or just use the google verification code, damm spammers i hear you

Share this post


Link to post
Share on other sites

If you have first name set to sa 225 and you change it to say 12 than all first names in your db will be trimed to 12 characters ! not good :)

Only make any changes if you are sure you dont have anything in that table longer than the number you set!

My advice do not mess with the db it's no real answer to the problem, Bot's will just dump a shorter text into that section and dump longer bit's into another part.


 

Share this post


Link to post
Share on other sites
1 minute ago, JcMagpie said:

If you have first name set to sa 225 and you change it to say 12 than all first names in your db will be trimed to 12 characters ! not good

I changed it last night to 16 for both first and last name.  Total waste of time, I guess.

Mephistopheles will still fit.  🤩

Share this post


Link to post
Share on other sites
51 minutes ago, puggybelle said:

So 40 does not represent characters...it represents the number of words?

No.  Characters does not represent words.  The 16/32 issue may be a bug or just database weirdness. 


Always back up before making changes.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×