Like I said...musing...it would be great to just be able to say, "We don't accept input unless its from a 'keyboard'" (And that would include voice-to-text etc since they trigger key-events.)
Announcement
Collapse
No announcement yet.
Someone is creating new fake customers accounts
Collapse
X
-
Bruce Golub
Phosphor Media - "Your Success is our Business"
Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
phosphormedia.com
-
Since most bots try to fill in all form fields, we use a "honeypot" input field with a touch of JavaScript. The honeypot input is hidden with CSS, and listened to with JavaScript. If a value is entered into the honeypot we change the form submit location via JavaScript (a black hole). It's not a perfect solution, but has eliminated our spammy form submission issues, AND we do not need to use a Captcha.
Comment
-
I think Bruce is saying that the bot is a headless browser that hits the CGI endpoint with request headers and a post payload. The bot never actually visits the page.
It looks like the bot REQUESTS the ACAD page with a Customer_LoginEmail parameter (Password Recovery Email) and is looking for RESPONSE with a g.customer_invalid_addinfo.
If g.customer_invalid_addinfo is TRUE then the bot has a valid Customer_LoginEmail. If g.customer_invalid_addinfo is FALSE then a fake account is created - but that is just collateral damage to the bot.
I would check the User Interface > Error Message tab for 'The email address you entered is already in use.' to see if the bot captured anything.
Comment
-
Any of you developer types interested in writing a module to add reCAPTCHA v3 to Miva? Looks like it's pretty slick and powerful without a negative user experience for real people.
https://www.google.com/recaptcha/intro/v3.html
https://developers.google.com/recaptcha/docs/v3
I would definitely be interested in a module that managed this for my site.Last edited by oliverands; 10-14-19, 03:44 AM.Todd Gibson
Oliver + S | Sewing Patterns for Kids and the Whole Family
- 1 like
Comment
-
Originally posted by invinciblerecordings View Postsomehow between bruce installing the phosphor media easy account and some additional bot block code the problem has gone away.Leslie Kirk
Miva Certified Developer
Miva Merchant Specialist since 1997
Previously of Webs Your Way (aka Leslie Nord leslienord)
Email me: [email protected]
www.lesliekirk.com
Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr
Comment
-
So now I'm getting hit. I came in this morning to about 5K bot spam. From the server logs:
Code:52.186.121.92 - - [18/Oct/2019:03:33:57 -0400] "POST /customer-account.html HTTP/1.0" 200 40141 "https://www.alphabetsigns.com/customer-create.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" 52.186.121.92 - - [18/Oct/2019:03:33:57 -0400] "GET /mm5/merchant.mvc?Screen=%3bn%3aexpression(netsparker(9))%2f*&OAuth_Provider_Code=GOOGLE&action=OAUTH_LOGIN&Store_Code=XX&Session_Id=78bfd19b6009837711d3bea0fb63e40d HTTP/1.0" 404 41182 "https://www.alphabetsigns.com/customer-account.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
I added to .htaccess:
Code:RewriteCond %{REMOTE_ADDR} ^52\.186\.121\.92 RewriteRule ^.* - [F,L]
Comment
-
Originally posted by Beefy Nugget View Post*Puts on tinfoil hat* I feel like someone is targeting the forums signatures with urls, as both alphabet and InvincibleRecordings have their website in the signature
Comment
-
We had a similar issue on our save your basket page recently. we added a recaptcha to the form and that stopped it. As part of this, we disabled the submit button and only enabled it using a call back when the recaptha was checked. We used recaptcha2.Last edited by wajake41; 10-22-19, 09:23 AM.Larry
Luce Kanun Web Design
www.facebook.com/wajake41
www.plus.google.com/116415026668025242914/posts?hl=en
Comment
-
A perhaps more robust implementation would be to have the reCapture populate and hidden field (or better yet, have it REMOVE a value from a hidden field). This will help when a Bot is not submitting the form directly, but rather just directly posting the form and its data to the server.Bruce Golub
Phosphor Media - "Your Success is our Business"
Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
phosphormedia.com
Comment
-
IP blocking alone is a game of Wackamole. either removing the link and using other methods of account creation or recaptcha is the only thing to stop it.Bruce Golub
Phosphor Media - "Your Success is our Business"
Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
phosphormedia.com
Comment
-
No way to remove the link since presumably they have a script that's just sending a POST directly to merchant.mvc.. I contacted Miva to see if they can add ReCaptchaLooking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.
Comment
-
How does reCaptcha provide server side validation with the LOGN action?
I added reCaptcha to a LOGN form that enables the submit button
Once submitted, the reCaptcha response token should also be sent along to the LOGN action to be validated server-side.
The LOGN action should make a call to google's reCaptcha API to validate the token. Otherwise the LOGN will validate without an authorized domain request.
It seems to me that we would need a LOGN extension if we want to use reCaptcha.
- - - -
The CSRF token will work in most cases. There are more sophisticated bots that can brute force their way past a CSRF token in which case you would need the reCaptcha. In either case, the token needs to be validated server side.
Even if you you can validate the reCaptcha token it only prevents the server response, not the bot request. You will need a combination of IP, user-agent or ASN rule to block the bot altogether. And as Bruce pointed out, that is a game of Wackamole.
Comment
Comment