Urgent !!! Regarding fake customers registration

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
10 years ago
kakoli wrote:
Does this mean nop has an issue or bug? I am sure many people are facing the same issue.


I don't know enough about coding or the form processor to make a comment on if it is a bug, but if someone does know how to check the form processor to see if it's requiring validation on all requests - not just initial - this will answer your question and possibly give us a solution.
0
10 years ago
I am not sure too I am not good at these things, Can someone from nop team have look into this please its a big issue I guess..
LC
0
10 years ago
The form processor with CAPTCHA appears to be working properly. (i.e.  a new code is requested each time you press enter and even upon back up to previous page requires a new code.) (NOP 2.8)
0
10 years ago
yes true I have observed that long back.. not sure what could be the reason then :(
LC
0
10 years ago
yes true I have observed that long back.. not sure what could be the reason then :(
LC
0
10 years ago
kakoli wrote:
You can edit CustomerController Register() Method in nop.web project to implement honeypot.
And publish nop.web dll.

Is this new hidden filed "required", I guess its not, that's the reason I am still getting fake registration?

Also when I see the page source I see this code, where there is some value by default, could this be the cause?

<form action="/register" method="post"><input id="Landmark" name="Landmark" style="display: none" type="text" value="" /><input name="__RequestVerificationToken" type="hidden" value="OTERPeMdZ1cvRc4OUJnp81CT6o2hKXv8gEo3sOk3h3i-UVc5Xsyn2qhn32Q5OOfzM88uOM2kxkbfQ89JvQtBWxZo9zUStqIpH2zR_mfWRJ01" />

Do we have any solution :(

email validation, admin approval, recaptcha, honypot all have failed, i am receiving some 200 fake registration everyday again and numbers growing ,.. somebody please help..


I was able to solve Fake Customer Registration by Implementing Honeypot. In your case may be problem in the name of hidden field.

Honeypot is technique where we can stop bots and spammers from registration. For that we have to give proper name to  hidden field so that bots can understand and fill some value over there.

And next process is to find the value in Register() method. If that hidden field will have some value we will not register that customer at all.

Hope this will help you. :)
Krutal Modi,
Software Developer

Please Vote me up if my answer helped you !!!
4
10 years ago
krutal wrote:
You can edit CustomerController Register() Method in nop.web project to implement honeypot.
And publish nop.web dll.

Is this new hidden filed "required", I guess its not, that's the reason I am still getting fake registration?

Also when I see the page source I see this code, where there is some value by default, could this be the cause?

<form action="/register" method="post"><input id="Landmark" name="Landmark" style="display: none" type="text" value="" /><input name="__RequestVerificationToken" type="hidden" value="OTERPeMdZ1cvRc4OUJnp81CT6o2hKXv8gEo3sOk3h3i-UVc5Xsyn2qhn32Q5OOfzM88uOM2kxkbfQ89JvQtBWxZo9zUStqIpH2zR_mfWRJ01" />

Do we have any solution :(

email validation, admin approval, recaptcha, honypot all have failed, i am receiving some 200 fake registration everyday again and numbers growing ,.. somebody please help..

I was able to solve Fake Customer Registration by Implementing Honeypot. In your case may be problem in the name of hidden field.

Honeypot is technique where we can stop bots and spammers from registration. For that we have to give proper name to  hidden field so that bots can understand and fill some value over there.

And next process is to find the value in Register() method. If that hidden field will have some value we will not register that customer at all.

Hope this will help you. :)


But what about the auto-fill feature in some browsers? If it is a recognizable field with "proper name", then this might prevent registrations of real customers, if this same name is used on some other site and the customer's browser has remembered it.
0
10 years ago
I know this is over a month old now, but in case anyone is interested in a randomized HoneyPot then here's the needed pieces. The reason I went with randomized is in case bot writers started including blacklists for field names like "HoneyPot". You could shorten the code if you don't want it configurable.

Web.config:

<appSettings>
<add key="EnableHoneyPot" value="true" />
<add key="RandomizeHoneyPot" value="true" />
</appSettings>


Register.cshtml (within @using (Html.BeginForm()) {...})

if (ViewBag.HoneyPotEnabled != null && ViewBag.HoneyPotEnabled)
    { 
        @Html.TextBox(Session["HoneyPotName"].ToString(), null, new { style = "display: none;" })
    }


CustomerController.cs:

[NonAction]
        void ConfigureHoneyPot()
        {
            string strEnableHoneyPot = ConfigurationManager.AppSettings["EnableHoneyPot"];
            bool enableHoneyPot = false;
            bool.TryParse(strEnableHoneyPot, out enableHoneyPot);
            if (enableHoneyPot)
            {
                string honeyPotName = "HoneyPot";
                string strRandomizeHoneyPot = ConfigurationManager.AppSettings["RandomizeHoneyPot"];
                bool randomizeHoneyPot = false;
                bool.TryParse(strRandomizeHoneyPot, out randomizeHoneyPot);
                if (randomizeHoneyPot)
                {
                    honeyPotName = Path.GetRandomFileName().Replace(".", "");
                    int length = new Random().Next(10, 20);
                    if (honeyPotName.Length > length)
                    {
                        honeyPotName = honeyPotName.Substring(0, length);
                    }
                }

                ViewBag.HoneyPotEnabled = true;
                Session["HoneyPotName"] = honeyPotName;
            }
            else
            {
                ViewBag.HoneyPotEnabled = false;
            }
        }

        [NonAction]
        void TestHoneyPot()
        {
            string strEnableHoneyPot = ConfigurationManager.AppSettings["EnableHoneyPot"];
            bool enableHoneyPot = false;
            bool.TryParse(strEnableHoneyPot, out enableHoneyPot);
            if (enableHoneyPot)
            {
                ViewBag.HoneyPotEnabled = true;

                string honeyPotName = Session["HoneyPotName"].ToString();
                string value = Request.Form[honeyPotName];
                if (!string.IsNullOrEmpty(value))
                {
                    ModelState.AddModelError("", "Ahhh, you're a robot!!!");
                }
            }
        }



Add a call to the ConfigureHoneyPot method into the "Register()" action method.

Then add a call to the TestHoneyPot method into the "Register(RegisterModel model, bool captchaValid)" action method just after the captcha check.
2
10 years ago
While we're at it, If you could do the same randomly named field for the captcha textbox then a bot wouldn't be able to figure out which randomly named field was the honeypot or the captcha, but you would know because they'd both be in session.

I don't have the code in front of me, does anyone know how much control we have over the captcha section (such as field name)?
0
10 years ago
bmeine wrote:
I know this is over a month old now, but in case anyone is interested in a randomized HoneyPot then here's the needed pieces. The reason I went with randomized is in case bot writers started including blacklists for field names like "HoneyPot". You could shorten the code if you don't want it configurable.

Web.config:

<appSettings>
<add key="EnableHoneyPot" value="true" />
<add key="RandomizeHoneyPot" value="true" />
</appSettings>


Register.cshtml (within @using (Html.BeginForm()) {...})

if (ViewBag.HoneyPotEnabled != null && ViewBag.HoneyPotEnabled)
    { 
        @Html.TextBox(Session["HoneyPotName"].ToString(), null, new { style = "display: none;" })
    }


CustomerController.cs:

[NonAction]
        void ConfigureHoneyPot()
        {
            string strEnableHoneyPot = ConfigurationManager.AppSettings["EnableHoneyPot"];
            bool enableHoneyPot = false;
            bool.TryParse(strEnableHoneyPot, out enableHoneyPot);
            if (enableHoneyPot)
            {
                string honeyPotName = "HoneyPot";
                string strRandomizeHoneyPot = ConfigurationManager.AppSettings["RandomizeHoneyPot"];
                bool randomizeHoneyPot = false;
                bool.TryParse(strRandomizeHoneyPot, out randomizeHoneyPot);
                if (randomizeHoneyPot)
                {
                    honeyPotName = Path.GetRandomFileName().Replace(".", "");
                    int length = new Random().Next(10, 20);
                    if (honeyPotName.Length > length)
                    {
                        honeyPotName = honeyPotName.Substring(0, length);
                    }
                }

                ViewBag.HoneyPotEnabled = true;
                Session["HoneyPotName"] = honeyPotName;
            }
            else
            {
                ViewBag.HoneyPotEnabled = false;
            }
        }

        [NonAction]
        void TestHoneyPot()
        {
            string strEnableHoneyPot = ConfigurationManager.AppSettings["EnableHoneyPot"];
            bool enableHoneyPot = false;
            bool.TryParse(strEnableHoneyPot, out enableHoneyPot);
            if (enableHoneyPot)
            {
                ViewBag.HoneyPotEnabled = true;

                string honeyPotName = Session["HoneyPotName"].ToString();
                string value = Request.Form[honeyPotName];
                if (!string.IsNullOrEmpty(value))
                {
                    ModelState.AddModelError("", "Ahhh, you're a robot!!!");
                }
            }
        }



Add a call to the ConfigureHoneyPot method into the "Register()" action method.

Then add a call to the TestHoneyPot method into the "Register(RegisterModel model, bool captchaValid)" action method just after the captcha check.



Hi, is this all a complete solution or do I need to addin anything more to implement honeypot in my registration form?

Kindly advise

Amit.
Cheers
Amit Sharma
www.avenirlabs.com
www.vouchersmate.com
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.