Prevent Spam Account Registration
https://magento.stackexchange.com/questions/233368
-
18-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How to prevent spam account registration, aside from enabling CAPTCHA on forms (which I've already tried)? We're dealing with a steady flood of them.
The first name field is always Russian characters, so failing an easier route, maybe a way to detect a certain character and blocking the registration in that case?
Solution
We went through the same problem, the front maxlength limitation was bypassed easily (try it yourself by removing the maximum-length-25 class from html).
So here are what I found :
Solution 1 : Blocking via IP : each account subscription use a different IP from Colombia to Vietnam...
Solution 2: Blocking via User agent : it can be faked... It works if you want to limit crawlers blots.
Solution 3: Use HoneyPot : may works, but if the bot already focused you, I think it surely knows which fields to post (see: https://magento.stackexchange.com/a/104261/50635)
Solution 4: Captcha (Magento or Google) : may works but some people said it was overpassed
Solution 5: Edit email template and Add the confirmation email :
- Removing input data such as {{var customer.name}}, {{var customer.firstname}} from the /app/locale/[locale]/template/email/account_new.html template can prevent a bit being marked as spam.
- Add the email confirmation : System > Configuration > Customer Configuration > Require Emails Confirmation > Yes
Solution 6: Update fields limitation rules from database : directly in the customer_eav_attribute table, update rows with attribute_id=5 [firstname] and attribute_id=7 [lastname] and replace 255 by 25 :
a:2:{s:15:"max_text_length";i:255;s:15:"min_text_length";i:1;}- by :
a:2:{s:15:"max_text_length";i:25;s:15:"min_text_length";i:1;}
Solution 6 seems the fastest and the more effective way to prevent spambots, as they are using more than 25 characters.
Since then, NO MORE FAKE ACCOUNT were created! Problem solved.
If they try with less, it will at least restrict them in their phishing attempt.
You can check how many users already have a firstname or lastname over 25 characters, in our case, really minor :
SELECT ce.entity_id, ce.email, cev2.value AS firstname, cev3.value AS lastname
FROM customer_entity ce
-- first name
INNER JOIN customer_entity_varchar cev2 ON (ce.entity_id = cev2.entity_id AND cev2.attribute_id = 5)
-- last name
INNER JOIN customer_entity_varchar cev3 ON (ce.entity_id = cev3.entity_id AND cev3.attribute_id = 7)
WHERE CHAR_LENGTH(cev2.value)>25 or CHAR_LENGTH(cev3.value)>25
For more information why these fake accounts are registered, read here : https://magento.stackexchange.com/a/240710/50635
OTHER TIPS
Considering that we are talking about Account Registration, seems that you are on the right way. Have you tried changing the email registration subject?
it is probably on app/locale/yourlanguage/template/email/account_new.html
As a supplementary note, I deleted the spam accounts with the following code:
$customers = $this->getCustomerCollection();
$this->registry->register('isSecureArea', true);
function isRussian($text) {
return preg_match('/[А-Яа-яЁё]/u', $text);
}
foreach($customers as $customer){
$name = $customer->getName();
if(isRussian($name)){
$customer->delete();
}
}
Use cloudflare or some other firewall to block some countries if you can. China, Hong Kong, Russia. This does not stop all the spam however and does not work if you need those countries to be able to access of course. But it was helpful to let me actually use the admin panel as the server was getting hammered pretty hard.
Enable the build in Google Recaptcha or use an alternative plugin if you have not updated Magento to 2.3.0+
In Magento 2.3 to enable the built in Google reCAPTCHA.
1) Visit Stores > Settings > Configuration > Security > Google reCAPTCHA 2) Generate Recaptcha v2 invisible recaptcha or I'm not a bot keys. 3) Enter them into the admin config on that page and enable it on the frontend for Use in Create user.
Enabling for other features can't really hurt either however.
For cleaning up existing accounts find patterns in their input and create queries to select them whilst ensuring your normal users are not part of that set of data.
You can delete them from the customer_entity table.
Example SQL from a site I cleaned up: Craft your own as it would need to be mindful of your circumstances your dataset etc don't hold me responsible if you wipe wrong users take backup first!
DELETE FROM customer_entity
WHERE SUBSTRING_INDEX(email, '\@', -1) IN ('pp.com',
'sf-express.com',
'qqlong.com',
'kinohit.win',
'sohu.com',
'21cn.com',
'yeah.net',
'koreamail.com',
'aliyun.com',
'mail.ru',
'VIP.SINA.COM',
'yahoo.co.in',
'icload.com',
'sogou.com',
'vip.qq.com',
'sina.cn',
'189.cn',
'wo.com.cn',
'qq.cn',
'sina.com.cn',
'126.cn',
'yahoo.com.cn',
'3g.cn',
'163.com',
'167.com',
'139.com',
'126.com',
'130.com',
'144.com',
'123.com',
'ca800.com',
'168.com',
'188.com',
'1974.com',
'qq.co',
'sina.com',
'qq.com',
'qq.con',
'QQ.come',
'yandex.com',
'5ol.com',
'yeat.net',
'yahoo.cn')
OR lastname LIKE '%http://%'
OR lastname LIKE '%https://%'
OR lastname LIKE '%【%】%'
OR lastname LIKE '%tw55.cc%'
OR lastname LIKE '%www.ope2228.com%'
Ensure the old basic Magento Captcha is disabled. Customers > Customer Configuration > CAPTCHA
Enable CAPTCHA on Storefront: No
As it will conflict with the Google reCAPTCHA...
Official documentation links:
https://docs.magento.com/m2/ce/user_guide/configuration/security/google-recaptcha.html
https://docs.magento.com/m2/ce/user_guide/stores/security-google-recaptcha.html
The bots just seem to hit the account creation endpoint (Yes even if you delete the Create Account buttons/links from your theme) but deleting their accounts or deactivating is recommended as they could sleep till later and spam other things and they use up space in your DB anyway....
Good luck everyone.
You can easily put the domains to block and set the error message to be displayed when a user attempts to register with an email domain on your block list. Full instructions are as follows –
Create a new module with a name EmailCheck in the folder Ecomsolver
Step – 1 Write the following code at admin panel. Path of the file will be – Ecomsolver >EmailCheck > etc > Adminhtml > System
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
<system>
<tab id="ecomsolver" translate="label" sortOrder="999">
<label>Ecomsolver</label>
</tab>
<section id="emailblock" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">
<class>separator-top</class>
<label>Email Check</label>
<tab>ecomsolver</tab>
<resource>PixieMedia_General::general_config</resource>
<group id="domains" translate="label" type="text" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
<label>Domain Names</label>
<field id="domains" translate="label" type="textarea" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
<label>Domain names to block</label>
<comment>Comma separated values eg google.co.uk,mail.ru,some.com</comment>
</field>
<field id="message" translate="label" type="textarea" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
<label>Message to display</label>
<comment>The error message to show users who try to register with one of the above domain names</comment>
</field>
</group>
</section>
</system>
</config>
Step – 2 Write the following code in a file. Path of the file will be –
Ecomsolver >EmailCheck > etc > Frontend > di
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="Magento\Customer\Controller\Account\CreatePost">
<plugin name="restrictCustomerEmail"
type="Ecomsolver\Emailcheck\Model\Plugin\Controller\Account\RestrictCustomerEmail"/>
</type>
</config>
Step – 3 Write the following code in XML file with name Config. Path of the file will be – Ecomsolver >EmailCheck > etc > Config
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
<default>
<emailblock>
<domains>
<domains>163.com,mail.ru</domains>
</domains>
<message>
<domains>We do not allow registration from your email domain</domains>
</message>
</emailblock>
</default>
</config>
Step – 4 Write the following code in XML file with name Module. Path of the file will be – Ecomsolver >EmailCheck > etc > Module
<config xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xsi:noNamespaceSchemaLocation="../../../../../lib/internal/Magento/Framework/Module/etc/module.xsd">
<module name="Ecomsolver_Emailcheck" setup_version="1.0.0">
</module>
</config>
Step – 5 Create the folder name Model in EmailCheck. Then create subfolder Plugin > Controller > Account. Write the following code in php file with name RestrictCustomerEmail. Path of the php file will be – Ecomsolver >EmailCheck > Plugin > Controller > Account > RestrictCustomerEmail
/*Ecomsolver @@@@@@ ecomsolver@gmail.com*/
namespace Ecomsolver\Emailcheck\Model\Plugin\Controller\Account;
use Magento\Framework\Controller\Result\RedirectFactory;
use Magento\Framework\UrlFactory;
use Magento\Framework\Message\ManagerInterface;
use Magento\Framework\App\Config\ScopeConfigInterface;
class RestrictCustomerEmail {
/**
* @var \Magento\Framework\UrlInterface
*/
protected $urlModel;
/**
* @var \Magento\Framework\Controller\Result\RedirectFactory
*/
protected $resultRedirectFactory;
/**
* @var \Magento\Framework\Message\ManagerInterface
*/
protected $messageManager;
/**
* RestrictCustomerEmail constructor.
* @param UrlFactory $urlFactory
* @param RedirectFactory $redirectFactory
* @param ManagerInterface $messageManager
*/
public function __construct(
UrlFactory $urlFactory,
RedirectFactory $redirectFactory,
ManagerInterface $messageManager,
ScopeConfigInterface $scopeConfig
)
{
$this->urlModel = $urlFactory->create();
$this->resultRedirectFactory = $redirectFactory;
$this->messageManager = $messageManager;
$this->scopeConfig = $scopeConfig;
}
/**
* @param \Magento\Customer\Controller\Account\CreatePost $subject
* @param \Closure $proceed
* @return mixed
* @throws \Magento\Framework\Exception\LocalizedException
*/
public function aroundExecute(
\Magento\Customer\Controller\Account\CreatePost $subject,
\Closure $proceed
)
{
/** @var \Magento\Framework\App\RequestInterface $request */
$email = $subject->getRequest()->getParam('email');
list($nick, $domain) = explode('@', $email, 2);
$domains = $this->scopeConfig->getValue('emailblock/domains/domains', \Magento\Store\Model\ScopeInterface::SCOPE_STORE);
if(!$domains) {
return $proceed;
}
$domainArray = array_map('trim', explode(',', $domains));
if(count($domainArray) < 1) {
return $proceed;
}
if (in_array($domain, $domainArray, true)){
$message = $this->scopeConfig->getValue('emailblock/domains/message', \Magento\Store\Model\ScopeInterface::SCOPE_STORE);
if(!$message) { $message = __('We do not allow registration from your email domain'); }
$this->messageManager->addErrorMessage($message);
$defaultUrl = $this->urlModel->getUrl('*/*/create', ['_secure' => true]);
/** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
$resultRedirect = $this->resultRedirectFactory->create();
return $resultRedirect->setUrl($defaultUrl);
}
return $proceed();
}
}
I have resolved it by adding the following code to .htaccess as debugging lot, I didn't found anything but when create one event on customer save after I got this and then its resloved now.
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} "rv:40\.0\)\ Gecko/20100101\ Firefox/40\.1$" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Gecko.*Gecko" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Gecko/([a-z]|[A-Z])\." [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Gecko/\ " [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Gecko/20([2-9])" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Gecko/201([1-9])"
</IfModule>
