Jump to content
KenSO

Capture Fake Accounts IPs

Recommended Posts

Hi All,

I am getting lots of fake accounts and SPAM emails. I'm not too fussed about SPAM emails as I can deal with that easily using mail filters. What irks me is the fake accounts still coming through after installing addons and captcha. They simply don't work 100% and still need some manual management of this issue. Someone posted in an old thread that that were able to modify the create_account.php file to submit IP address to a newly added customers_ip_address" field in the customers table.

Can anyone help with this please. I just need to know what file and where to add the additional value (IP address) when create_account.php is submitted. I can do the database bit myself.

Any help with this issue is appreciated. I've not had to deal with such large amounts of fake accounts before now.

Thanks

Share this post


Link to post
Share on other sites

AFter adding a captcha I was able to fully get rid of fake accounts coming so my guess is that you don't have it setup correctly. 

 

Before that I was using a script to delete about 5-10 accounts created a day.

Share this post


Link to post
Share on other sites

We can all make assumptions easily but I've read lots of the threads and I'm not the only one who's had issues even after correctly installing stuff. No captcha will stop any of these 100% - simple fact.

We all have to find solutions to our specific issues and that's what I'm trying to do.

Share this post


Link to post
Share on other sites
Posted (edited)

There are addons to capture a persons IP address when creating an account but depending on your version they may need some work to get working correctly. Use google to search for one as the addons area search is very hit and miss.

I have google recaptcha as security on my create account and contact us pages and still I get a few spam accounts so you wont stop them all.

If you are using any version of Phoenix you may get better support at their new home at https://phoenixcart.org/forum/

Edited by 14steve14

REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Phoenix version here

It's easy to say to yes every question.

Share this post


Link to post
Share on other sites
34 minutes ago, 14steve14 said:

There are addons to capture a persons IP address when creating an account but depending on your version they may need some work to get working correctly. Use google to search for one as the addons area search is very hit and miss.

I have google recaptcha as security on my create account and contact us pages and still I get a few spam accounts so you wont stop them all.

If you are using any version of Phoenix you may get better support at their new home at https://phoenixcart.org/forum/

Thanks @14steve14

Yes, none of the addons will 100% stop these fake accounts and SPAM. People talk as if installing an addon is a silver bullet. I have all these and still get some fakes and SPAM hence my wanting to cpature IP addreses and block them. Now, if I knew what phoenix file does the inserts into the customers table after submitting form, then I can easily modify this. But getting this simple information does not seem to be so simple.

If it were, all I'll need to is add that IP address value for it to be inserted in the database. And addon is not needed for this - just modification of the file doing the insert.

Share this post


Link to post
Share on other sites

Do it how ever you like, but like I said there are free and paid for addons that will do what you want so it is possible.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Phoenix version here

It's easy to say to yes every question.

Share this post


Link to post
Share on other sites
Posted (edited)

Sorry, I didn't mean to be annoying I guess I was just relaying my experience which in fact did lead to the recaptcha being a silver bullet. 

I didn't use an addon I added it to create account pages myself and I am using the V2 checkbox with the security preference slider set to the middle. 

I doubt that helps you considering what you said but to record the IP I would just use something like this: https://stackoverflow.com/questions/6837655/log-user-ip-address-date-and-time

And add a field to the customer table to record the IP

 

 

 

Edited by sackling

Share this post


Link to post
Share on other sites
6 minutes ago, sackling said:

Sorry, I didn't mean to be annoying I guess I was just relaying my experience which in fact did lead to the recaptcha being a silver bullet. 

I didn't use an addon I added it to create account pages myself and I am using the V2 checkbox with the security preference slider set to the middle. 

I doubt that helps you considering what you said but to record the IP I would just use something like this: https://stackoverflow.com/questions/6837655/log-user-ip-address-date-and-time

And add a field to the customer table to record the IP

 

 

 

Thanks @sackling

It's fine, you weren't annoying in the least. I was just saying there's a default assumption that one has not installed something correctly when this is not the case in many instances. Grabbing an IP address is small work, that's not my problem. The problem is I can't identify what file(s) does the insert of what the form collects into the database. If I knew what it was and where, I could easily modify that. I capture IP addresses for same reason on my other sites and have this intergrated into the code. But to do that, I had to at least know what files I needed to be tweaking. This is nit the case with phoenix.

I'd be interested in your hack to get that v2 checkbox working with your create account page just out of interest. I  believe addons are good but not always necessary or ideal when being used acroos a variety of releases and versions.

Share this post


Link to post
Share on other sites

It's been a at least 6 months since I did it but I think this is all of it on create_account.php

Near the top of the page within the first process action:

  if(isset($HTTP_POST_VARS['g-recaptcha-response'])){
            $captcha=$HTTP_POST_VARS['g-recaptcha-response'];
        }

        $secretKey = "MYSECRETKEY";

// post request to server
        $url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($secretKey) .  '&response=' . urlencode($captcha);
        $response = file_get_contents($url);
        $responseKeys = json_decode($response,true);

 

if ($error == false && $responseKeys["success"]) {
    $sql_data_array = array('customers_firstname' => $firstname,
        'customers_lastname' => $lastname,
        'customers_email_address' => $email_address,

 

Bottom of Create account page:

 

<div class="g-recaptcha" data-sitekey="mysitekey"></div>

  <div class="buttonSet">
    <span class="buttonAction"><?php echo tep_draw_button(IMAGE_BUTTON_CONTINUE, 'person', null, 'loginform'); ?></span>
  </div>
</div>

</form>
</div>

Share this post


Link to post
Share on other sites
21 minutes ago, sackling said:

It's been a at least 6 months since I did it but I think this is all of it on create_account.php

Near the top of the page within the first process action:


  if(isset($HTTP_POST_VARS['g-recaptcha-response'])){
            $captcha=$HTTP_POST_VARS['g-recaptcha-response'];
        }

        $secretKey = "MYSECRETKEY";

// post request to server
        $url = 'https://www.google.com/recaptcha/api/siteverify?secret=' . urlencode($secretKey) .  '&response=' . urlencode($captcha);
        $response = file_get_contents($url);
        $responseKeys = json_decode($response,true);

 


if ($error == false && $responseKeys["success"]) {
    $sql_data_array = array('customers_firstname' => $firstname,
        'customers_lastname' => $lastname,
        'customers_email_address' => $email_address,

 

Bottom of Create account page:

 


<div class="g-recaptcha" data-sitekey="mysitekey"></div>

  <div class="buttonSet">
    <span class="buttonAction"><?php echo tep_draw_button(IMAGE_BUTTON_CONTINUE, 'person', null, 'loginform'); ?></span>
  </div>
</div>

</form>
</div>

Thanks @sackling

The second part of code dump at the top seems to be broken:

if ($error == false && $responseKeys["success"]) { $sql_data_array = array('customers_firstname' => $firstname, 'customers_lastname' => $lastname, 'customers_email_address' => $email_address,

It's not closed properly, perhaps there's some bit at the end missing? The bit that goes down the bottom is fine.

Share this post


Link to post
Share on other sites

Yea I cut off the rest of the code you should be able to find that part of your code or something similar to it and just add the 

f ($error == false && $responseKeys["success"]) 

 

Share this post


Link to post
Share on other sites
26 minutes ago, sackling said:

Yea I cut off the rest of the code you should be able to find that part of your code or something similar to it and just add the 


f ($error == false && $responseKeys["success"]) 

 

It's only the bits of your captcha intergration I was hoping to see. I can't fit parts together without seeing your create_account page so I see if it's same as mine. Please can you attach a copy without your captcha keys?

Share this post


Link to post
Share on other sites
19 hours ago, KenSO said:

I have all these and still get some fakes

If you truly have installed the Honey Pot addon, then you should post your settings and one of the fake accounts in its support thread. There's no reason to do what you are doing with the IP code unless the accounts being created are not fake ones, meaning created with invalid data.

Share this post


Link to post
Share on other sites
37 minutes ago, Jack_mcs said:

If you truly have installed the Honey Pot addon, then you should post your settings and one of the fake accounts in its support thread. There's no reason to do what you are doing with the IP code unless the accounts being created are not fake ones, meaning created with invalid data.

I'm rather puzzled why it's so hard to just be told where/what file the insert is done so I can make modifications as I require for my own purposes. It's very strange indeed. If as you say "unless accounts being created are not fake ones, meaning with invalid data", what would you call a firstname like xatThamamaayTTttTAA and a lastname similar to that, as well as other bits such address etc?

Anyway, I'll leave this issue as I'm getting the impression a simple question is not really that simple afterall. If I want to capture and block IP addresses for making accounts with entries like that, I don't think I'm wrong. In any case it's my shop. This addons you speak about is not a silver bullet and should not be seen as so. I am not knocking the addon or trying to bruise anyone's ego but for me, the addon simply does not work. I don't have to defend my efforts to find a resolution that's not tied to this addon.

Share this post


Link to post
Share on other sites
1 hour ago, KenSO said:

'm rather puzzled why it's so hard to just be told where/what file the insert is done so I can make modifications as I require for my own purposes.

One reason is because the changes needed are not common across all versions of osocommerce. Maybe you mentioned your version but I'm not seeing it. Another is that it takes time for someone to show what is needed. And a third, in my case, is that it is not needed.

 

1 hour ago, KenSO said:

what would you call a firstname like xatThamamaayTTttTAA and a lastname similar to that, as well as other bits such address etc?

Yes, that is a fake account. And Honey Pot has code to deal with it. Also, the "other bits"  can make a big difference in handling the code.

You are obviously stuck on making this code change as well as not even trying Honey Pot. That's fine. But if you get tired of having to handle the fake accounts manually, which you will have to do if you make the code change you want, then you really should try installing it. 

Share this post


Link to post
Share on other sites
2 hours ago, KenSO said:

I'm rather puzzled why it's so hard to just be told where/what file the insert is done so I can make modifications as I require for my own purposes. It's very strange indeed. If as you say "unless accounts being created are not fake ones, meaning with invalid data", what would you call a firstname like xatThamamaayTTttTAA and a lastname similar to that, as well as other bits such address etc?

Anyway, I'll leave this issue as I'm getting the impression a simple question is not really that simple afterall. If I want to capture and block IP addresses for making accounts with entries like that, I don't think I'm wrong. In any case it's my shop. This addons you speak about is not a silver bullet and should not be seen as so. I am not knocking the addon or trying to bruise anyone's ego but for me, the addon simply does not work. I don't have to defend my efforts to find a resolution that's not tied to this addon.

if the way you are thinking of doing this is the best way to do it in your eyes, I cant wait to see the addon you produce. If its that good and nothing currently available is any good, then yours will be the best. Release it when its done for the benefit of other community members.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Phoenix version here

It's easy to say to yes every question.

Share this post


Link to post
Share on other sites
vor 4 Stunden schrieb osCommerce-Official:

It uses Google reCAPTCHA

Google recapcha is not recommended. This joke query can be bypassed as easily as any other program. I therefore recommend using something that really checks whether it is a human or a robot. You can test it yourself. When the message appears whether you are human, wait 3 to 5 seconds and only then click the confirmation. every time you will succeed in reaching your goal without further testing. Captscha is garbage and not seriously useful.

Share this post


Link to post
Share on other sites
9 hours ago, YePix said:

Google recapcha is not recommended. This joke query can be bypassed as easily as any other program. I therefore recommend using something that really checks whether it is a human or a robot. You can test it yourself. When the message appears whether you are human, wait 3 to 5 seconds and only then click the confirmation. every time you will succeed in reaching your goal without further testing. Captscha is garbage and not seriously useful.

Peter, thanks for the suggestions. Will forward this to the dev team for consideration.

Share this post


Link to post
Share on other sites
Posted (edited)

It would be nice if there could be a setting in ACP, one which the webmaster can either disable / change from say 24hr to some other length of time. Then the software prevents the same IP from sending contact emails / registering within that timeframe.

Edited by Hotclutch
typo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×