Announcement

**InvincibleRecordings** · 10-08-19, 06:07 AM

So I guess I am leaning towards using the Phosphor Media Easy Account module if that will really fix the issue. Bruce - is this the golden magic?

**alphabet** · 10-08-19, 01:17 PM

Code:

          <input type="hidden" name="CSRF_Token" value="&mvte:global:Basket:csrf_token;" />

Would adding the CSRF token to the form work? And will the CSRF token still work after 9.13 Defer Empty Baskets update?

**InvincibleRecordings** · 10-09-19, 04:39 AM

I have a ticket in with Bruce at PhosphorMedia to install his Easy Contact and remove the "Create New Account" page. I will keep you posted on if this fixes the issue. Below is a screen shot of customers being added.

Attached Files

Screen-Shot-2019-10-09-at-5.20.32-AM.jpg (101.8 KB, 271 views)

**alphabet** · 10-09-19, 05:29 AM

That looks horrible!

For posterity, a method to block bad bots through the htaccess file by USER_AGENT or IP:

Code:

# block bad bots
RewriteCond %{HTTP_USER_AGENT} (SemrushBot|Screaming|Sogou|Spyfu) [NC,OR]
RewriteCond %{REMOTE_ADDR} ^xxx\.xxx\.xxx\.xxx
RewriteRule ^.* - [F,L]

Also, many hosts maintain a badbot file and will offer to block them upstream so you may want to check with your host.

**lesliekirk** · 10-09-19, 06:07 AM

Originally posted by InvincibleRecordings View Post

I have a ticket in with Bruce at PhosphorMedia to install his Easy Contact and remove the "Create New Account" page. I will keep you posted on if this fixes the issue. Below is a screen shot of customers being added.

Does Bruce's module replace the abbreviated Create Account on the login page? I had forgotten about that option in Shadows.

Question - have you set up the Payment Settings reCAPTCHA? I wonder if there is a way to add it to the Customer Log In page?

https://docs.miva.com/reference-guid...

**InvincibleRecordings** · 10-09-19, 08:02 AM

Originally posted by lesliekirk View Post

Does Bruce's module replace the abbreviated Create Account on the login page? I had forgotten about that option in Shadows.

Question - have you set up the Payment Settings reCAPTCHA? I wonder if there is a way to add it to the Customer Log In page?

https://docs.miva.com/reference-guid...

We have reCAPTCHA available if needed on the payment page but no where else. I think we are removing the "Create Account" page. I am first going with the Module approach and see if that ends the issue. But my hosting company did way they could block the IP address if I knew what it was. Does the MIVA admin have some place that can be found?

**lesliekirk** · 10-09-19, 08:21 AM

Originally posted by InvincibleRecordings View Post

We have reCAPTCHA available if needed on the payment page but no where else. I think we are removing the "Create Account" page. I am first going with the Module approach and see if that ends the issue. But my hosting company did way they could block the IP address if I knew what it was. Does the MIVA admin have some place that can be found?

The IP address of the spammer? Only if it's collected. On a side note to the reCAPTCHA - I wonder if you could do a view source of the page it appears on (at checkout) copy the code and place it on the customer-log-in.html page? Just thinking out loud...

**alphabet** · 10-09-19, 11:57 AM

I'm not sure if this will work but create a custom customer field with code 'ip'.
Then paste this snippet on the ACAD page.

Code:

<mvt:assign name="g.remote_addr" value="s.remote_addr" />
<mvt:item name="customfields" param="Write_Customer_Login( g.Customer_LoginEmail, 'ip', g.remote_addr )" />

**lesliekirk** · 10-09-19, 01:21 PM

Originally posted by alphabet View Post

I'm not sure if this will work but create a custom customer field with code 'ip'.
Then paste this snippet on the ACAD page.

Code:

<mvt:assign name="g.remote_addr" value="s.remote_addr" />
<mvt:item name="customfields" param="Write_Customer_Login( g.Customer_LoginEmail, 'ip', g.remote_addr )" />

I don't think this is happening on the ACAD Page. The Shadows ReadyTheme has an abbreviated account creation on the LOGN screen.

**alphabet** · 10-09-19, 01:50 PM

I'm hoping that the LOGN Create Account form submits and uses the customer's register_email input to create the account.

I think that the LOGN action responds with the ACAD so the user can further enter their address.

If the ACAD has access to g.Customer_LoginEmail it can log the bot_ip.

Otherwise, the bot is gone.

**alphabet** · 10-09-19, 01:59 PM

Another idea is to pass the bot ip as a hidden field on the LOGN Create Account form and email it from the ACAD page.

On the LOGN Create Account form add:

Code:

<mvt:assign name="g.remote_addr" value="s.remote_addr" />
<input type="hidden" name="bot_ip" value="g.remote_addr" />

On the ACAD page add:

Code:

    <mvt:assign name="g.to_email" value="'YOUR_EMAIL'" />
    <mvt:assign name="g.from_email" value="'YOUR_EMAIL'" />
    <mvt:assign name="g.subject" value="'Bot IP'" />
    <mvt:assign name="g.message" value="'Bot IP: ' $ g.bot_ip />

    <mvt:do file="g.module_library_utilities" name="g.email_sent" value="SendEmail(g.to_email,g.from_email,'',g.subject,'',g.message)" />

**Bruce - PhosphorMedia** · 10-09-19, 02:32 PM

Musing Theoretical Here.... I wonder if there isn't a way to detect whether or not the data input received by CGI where indeed entered via a keyboard...for example, lets say you do a basic de-encryption of CGI data before processing it...and that data gets encrypted AS the user enters data via the keyboard...not sure how you'd hide the crypt-salt though seeing as how you'd have to do this at the DOM level...but it would be cool if you could basically prevent all bot efforts. (Of course, this would kill auto-fill...but i notice more and more sites are using "no autocomplete" anyway.

**lesliekirk** · 10-09-19, 03:33 PM

Originally posted by Bruce - PhosphorMedia View Post

Musing Theoretical Here.... I wonder if there isn't a way to detect whether or not the data input received by CGI where indeed entered via a keyboard...for example, lets say you do a basic de-encryption of CGI data before processing it...and that data gets encrypted AS the user enters data via the keyboard...not sure how you'd hide the crypt-salt though seeing as how you'd have to do this at the DOM level...but it would be cool if you could basically prevent all bot efforts. (Of course, this would kill auto-fill...but i notice more and more sites are using "no autocomplete" anyway.

Perhaps a more relevant musing, since there may be inquiring minds that might like to know, will your Easy Contact module resolve this issue?

**Bruce - PhosphorMedia** · 10-09-19, 04:00 PM

Well, Easy Contact has its own built in Bot/Spam protection, which to date, has not been compromised... but that's for Email Contact and not just blocking bots from any form which what I was fantasizing.

**alphabet** · 10-10-19, 05:14 AM

a way to detect whether or not the data input received by CGI where indeed entered via a keyboard

I think that is the purpose of the CSRF token. Can InvincibleRecordings add the hidden field and make sure the 'Require CSRF Token for Customer Actions' is checked.

Still wondering if the 'Defer Empty Baskets' setting will affect this since the token is associated with the baskets array?

I see where you're heading with this, that he'll otherwise have to sift through the server logs for the bot IP and hope it's not proxied. And FWIW, just checked and req_addr is not a required HTTP header.

Announcement

Someone is creating new fake customers accounts

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment