Spam bot registration is a common problem with any website. Given that NopCommerce is a very popular open source shopping cart, it is not inconceivable that there are bots specifically targeting this platform. One of the techniques I employ in building any application for my clients is the "honeypot" technique. I did not invent this nor am I guaranteeing it's success.
In my personal experience I have found the honeypot technique to be very effective. The basic premise is that a spam bot is searching for forms to enter junk information into. By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information. The spam bot will unknowingly fill all input fields and submit your form. The controller action that handles the form submission looks to see if anything has been filled in the honeypot and if it's filled, rejects the submission. Typically the spam bots are programmed to move on to the next easy target.
Here is a brief explanation of the steps necessary to create your own honeypot. I am using nop 2.8 source code version. If you are unsure how to use the source code edition there are plenty of great posts in this forum on how to do so.
Step 1:
Add a string field(or any other type you want) to Nop.Web.Models.Customer and label it anything you want.
public string Phone2 { get; set; }
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
if (!string.IsNullOrEmpty(model.Phone2))
{
ModelState.AddModelError("", "You appear to be a spam bot. Sorry Charlie no dice.");
}
What this snippet does is checks to see that the hidden field "Phone2" is null or empty and if not, flags the model state as being invalid which throws the form back to the user and displays your error message. If "Phone2" is null or empty then the Register action continues on as normal. If you want to localize your error you could do that as well but I don't really see the point.
Step 3:
Using Nop.Web.Views.Customer.Register add the following html helper somewhere inside the form tag. The form tag starts with the section of code that reads "@using (Html.BeginForm()){". Place this snippet AFTER the first bracket.
@Html.TextBoxFor(m => m.Phone2, new { style = "display: none" })
That's it! Recompile and publish. You should see a noticeable drop off in spam bot registrations after this.
Note: If you still see some registrations getting through you can always expand on this method by adding different types of form fields, asking your users to do simple math, etc. There are tradeoffs of course but at the bare minimum you should see better filtering with this method.
Hope this helps. Let me know if I left something out.
t