Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    So I guess I am leaning towards using the Phosphor Media Easy Account module if that will really fix the issue. Bruce - is this the golden magic?
    http://www.invinciblemusic.com

    Comment


      #17
      Code:
                <input type="hidden" name="CSRF_Token" value="&mvte:global:Basket:csrf_token;" />
      Would adding the CSRF token to the form work? And will the CSRF token still work after 9.13 Defer Empty Baskets update?
      http://www.alphabetsigns.com/

      Comment


        #18
        I have a ticket in with Bruce at PhosphorMedia to install his Easy Contact and remove the "Create New Account" page. I will keep you posted on if this fixes the issue. Below is a screen shot of customers being added.
        Attached Files
        Last edited by InvincibleRecordings; 10-09-19, 05:39 AM.
        http://www.invinciblemusic.com

        Comment


          #19
          That looks horrible!

          For posterity, a method to block bad bots through the htaccess file by USER_AGENT or IP:

          Code:
          # block bad bots
          RewriteCond %{HTTP_USER_AGENT} (SemrushBot|Screaming|Sogou|Spyfu) [NC,OR]
          RewriteCond %{REMOTE_ADDR} ^xxx\.xxx\.xxx\.xxx
          RewriteRule ^.* - [F,L]
          Also, many hosts maintain a badbot file and will offer to block them upstream so you may want to check with your host.
          http://www.alphabetsigns.com/

          Comment


            #20
            Originally posted by InvincibleRecordings View Post
            I have a ticket in with Bruce at PhosphorMedia to install his Easy Contact and remove the "Create New Account" page. I will keep you posted on if this fixes the issue. Below is a screen shot of customers being added.
            Does Bruce's module replace the abbreviated Create Account on the login page? I had forgotten about that option in Shadows.

            Question - have you set up the Payment Settings reCAPTCHA? I wonder if there is a way to add it to the Customer Log In page?

            https://docs.miva.com/reference-guid...​​
            Leslie Kirk
            Miva Certified Developer
            Miva Merchant Specialist since 1997
            Previously of Webs Your Way
            (aka Leslie Nord leslienord)

            Email me: [email protected]
            www.lesliekirk.com

            Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

            Comment


              #21
              Originally posted by lesliekirk View Post

              Does Bruce's module replace the abbreviated Create Account on the login page? I had forgotten about that option in Shadows.

              Question - have you set up the Payment Settings reCAPTCHA? I wonder if there is a way to add it to the Customer Log In page?

              https://docs.miva.com/reference-guid...​​
              We have reCAPTCHA available if needed on the payment page but no where else. I think we are removing the "Create Account" page. I am first going with the Module approach and see if that ends the issue. But my hosting company did way they could block the IP address if I knew what it was. Does the MIVA admin have some place that can be found?
              http://www.invinciblemusic.com

              Comment


                #22
                Originally posted by InvincibleRecordings View Post

                We have reCAPTCHA available if needed on the payment page but no where else. I think we are removing the "Create Account" page. I am first going with the Module approach and see if that ends the issue. But my hosting company did way they could block the IP address if I knew what it was. Does the MIVA admin have some place that can be found?
                The IP address of the spammer? Only if it's collected. On a side note to the reCAPTCHA - I wonder if you could do a view source of the page it appears on (at checkout) copy the code and place it on the customer-log-in.html page? Just thinking out loud...
                Leslie Kirk
                Miva Certified Developer
                Miva Merchant Specialist since 1997
                Previously of Webs Your Way
                (aka Leslie Nord leslienord)

                Email me: [email protected]
                www.lesliekirk.com

                Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                Comment


                  #23
                  I'm not sure if this will work but create a custom customer field with code 'ip'.
                  Then paste this snippet on the ACAD page.

                  Code:
                  <mvt:assign name="g.remote_addr" value="s.remote_addr" />
                  <mvt:item name="customfields" param="Write_Customer_Login( g.Customer_LoginEmail, 'ip', g.remote_addr )" />
                  http://www.alphabetsigns.com/

                  Comment


                    #24
                    Originally posted by alphabet View Post
                    I'm not sure if this will work but create a custom customer field with code 'ip'.
                    Then paste this snippet on the ACAD page.

                    Code:
                    <mvt:assign name="g.remote_addr" value="s.remote_addr" />
                    <mvt:item name="customfields" param="Write_Customer_Login( g.Customer_LoginEmail, 'ip', g.remote_addr )" />
                    I don't think this is happening on the ACAD Page. The Shadows ReadyTheme has an abbreviated account creation on the LOGN screen.

                    Leslie Kirk
                    Miva Certified Developer
                    Miva Merchant Specialist since 1997
                    Previously of Webs Your Way
                    (aka Leslie Nord leslienord)

                    Email me: [email protected]
                    www.lesliekirk.com

                    Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                    Comment


                      #25
                      I'm hoping that the LOGN Create Account form submits and uses the customer's register_email input to create the account.

                      I think that the LOGN action responds with the ACAD so the user can further enter their address.

                      If the ACAD has access to g.Customer_LoginEmail it can log the bot_ip.

                      Otherwise, the bot is gone.
                      http://www.alphabetsigns.com/

                      Comment


                        #26
                        Another idea is to pass the bot ip as a hidden field on the LOGN Create Account form and email it from the ACAD page.

                        On the LOGN Create Account form add:

                        Code:
                        <mvt:assign name="g.remote_addr" value="s.remote_addr" />
                        <input type="hidden" name="bot_ip" value="g.remote_addr" />
                        On the ACAD page add:

                        Code:
                            <mvt:assign name="g.to_email" value="'YOUR_EMAIL'" />
                            <mvt:assign name="g.from_email" value="'YOUR_EMAIL'" />
                            <mvt:assign name="g.subject" value="'Bot IP'" />
                            <mvt:assign name="g.message" value="'Bot IP: ' $ g.bot_ip />
                        
                            <mvt:do file="g.module_library_utilities" name="g.email_sent" value="SendEmail(g.to_email,g.from_email,'',g.subject,'',g.message)" />
                        http://www.alphabetsigns.com/

                        Comment


                          #27
                          Musing Theoretical Here.... I wonder if there isn't a way to detect whether or not the data input received by CGI where indeed entered via a keyboard...for example, lets say you do a basic de-encryption of CGI data before processing it...and that data gets encrypted AS the user enters data via the keyboard...not sure how you'd hide the crypt-salt though seeing as how you'd have to do this at the DOM level...but it would be cool if you could basically prevent all bot efforts. (Of course, this would kill auto-fill...but i notice more and more sites are using "no autocomplete" anyway.
                          Bruce Golub
                          Phosphor Media - "Your Success is our Business"

                          Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                          phosphormedia.com

                          Comment


                            #28
                            Originally posted by Bruce - PhosphorMedia View Post
                            Musing Theoretical Here.... I wonder if there isn't a way to detect whether or not the data input received by CGI where indeed entered via a keyboard...for example, lets say you do a basic de-encryption of CGI data before processing it...and that data gets encrypted AS the user enters data via the keyboard...not sure how you'd hide the crypt-salt though seeing as how you'd have to do this at the DOM level...but it would be cool if you could basically prevent all bot efforts. (Of course, this would kill auto-fill...but i notice more and more sites are using "no autocomplete" anyway.
                            Perhaps a more relevant musing, since there may be inquiring minds that might like to know, will your Easy Contact module resolve this issue?
                            Leslie Kirk
                            Miva Certified Developer
                            Miva Merchant Specialist since 1997
                            Previously of Webs Your Way
                            (aka Leslie Nord leslienord)

                            Email me: [email protected]
                            www.lesliekirk.com

                            Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                            Comment


                              #29
                              Well, Easy Contact has its own built in Bot/Spam protection, which to date, has not been compromised... but that's for Email Contact and not just blocking bots from any form which what I was fantasizing.
                              Bruce Golub
                              Phosphor Media - "Your Success is our Business"

                              Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                              phosphormedia.com

                              Comment


                                #30

                                a way to detect whether or not the data input received by CGI where indeed entered via a keyboard
                                I think that is the purpose of the CSRF token. Can InvincibleRecordings add the hidden field and make sure the 'Require CSRF Token for Customer Actions' is checked.

                                Still wondering if the 'Defer Empty Baskets' setting will affect this since the token is associated with the baskets array?

                                I see where you're heading with this, that he'll otherwise have to sift through the server logs for the bot IP and hope it's not proxied. And FWIW, just checked and req_addr is not a required HTTP header.
                                http://www.alphabetsigns.com/

                                Comment

                                Working...
                                X