Does Bruce's module replace the abbreviated Create Account on the login page? I had forgotten about that option in Shadows.

Question - have you set up the Payment Settings reCAPTCHA? I wonder if there is a way to add it to the Customer Log In page?

https://docs.miva.com/reference-guid...​​

That looks horrible!

For posterity, a method to block bad bots through the htaccess file by USER_AGENT or IP:

Also, many hosts maintain a badbot file and will offer to block them upstream so you may want to check with your host.

I have a ticket in with Bruce at PhosphorMedia to install his Easy Contact and remove the "Create New Account" page. I will keep you posted on if this fixes the issue. Below is a screen shot of customers being added.

Would adding the CSRF token to the form work? And will the CSRF token still work after 9.13 Defer Empty Baskets update?

So I guess I am leaning towards using the Phosphor Media Easy Account module if that will really fix the issue. Bruce - is this the golden magic?

Have you been able to identify the culprit yet? If it's a bot, "disallow" from login page on your robots.txt file. This will at the very least accomplish one thing, is it intentional.

You can create a completly blank page in Miva and send the right form post to it and you can make an account, add to cart, etc etc.

The only way I was able to stop a bot today was though htaccess but that's not going to last forever.

I see that merchant.mv is in the LSK so in theory one could edit and compile that with some blocking stuff. I see this being a not good idea.... but I don't know what else to do. There are hundreds of thousands of spam customer accounts being created on multiple sites.

Any "Action" that gets sent to a page gets done before the page template runs anyways (most of the time) so, for example, you can add a product to your cart from the OCST page and end up on the OCST page. I don't want to post anymore. Obviously somebody already has something programmed in and is passing it around the 'Net for bots and the like. I'm going to put in programming into the HTML PROFILE SMT code but I think that's still not the best solution. An alternate or modified merchant.mvc would be my best idea - I don't do that kind of programing though.

Not sure I follow what you are saying Colin. Bots are exploiting HTML/HTTP/CGI variables and processes. Most of those processes (at least the ones that matter) are controllable at the SMT level...so, a 'module' wouldn't be required. It might make it simpler, but I don't see how it would be required.

If you know anything about how Miva works the only way to stop a bot would be a module. Front side code on some random page won't work.

Anyone able to add reCapture to my site? They started doing it again.

That's a very interesting technique, but may not work based on how the bot is created, many rotate through IP addresses on each attempt. But this would probably stop 'script kiddy' type efforts as those bots are rarely effective at doing anything other than being annoying.

you could stop that ip address from creating any more accounts. Have a custom customer field that assignes the ip address on the account created page. Then on the creat account page do some code saying if s.remote_addr EQ that IP, dont display any fields for account creation. Even if they have a proxy, it will add another step in the system for them to need to automate or do by hand. Not a final solution but it might help slow the flood

Its a bot. Add reCapture or some other code to block it from filling out form.

Leslie, it could be a bot but seems to program one for Miva Shadows would be hard. Not sure. They are using first names like MsxgKebyfzhV and everything else entered is just as ridiculous.