btw - how do these ppl benefit from these bogus registrations?
and here's the example i found:
<security>
<ipSecurity allowUnlisted="true"> <!-- this line blocks everybody, except those listed below -->
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="83.116.19.53"/> <!-- block one IP -->
<add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/> <!--block network 83.116.119.0 to 83.116.119.255-->
</ipSecurity>
</security>
Urgent !!! Regarding fake customers registration
- 220
- 1722
- 2010/1/2
- United States
Spam bot registration is a common problem with any website. Given that NopCommerce is a very popular open source shopping cart, it is not inconceivable that there are bots specifically targeting this platform. One of the techniques I employ in building any application for my clients is the "honeypot" technique. I did not invent this nor am I guaranteeing it's success.
In my personal experience I have found the honeypot technique to be very effective. The basic premise is that a spam bot is searching for forms to enter junk information into. By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information. The spam bot will unknowingly fill all input fields and submit your form. The controller action that handles the form submission looks to see if anything has been filled in the honeypot and if it's filled, rejects the submission. Typically the spam bots are programmed to move on to the next easy target.
Here is a brief explanation of the steps necessary to create your own honeypot. I am using nop 2.8 source code version. If you are unsure how to use the source code edition there are plenty of great posts in this forum on how to do so.
Step 1:
Add a string field(or any other type you want) to Nop.Web.Models.Customer and label it anything you want.
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
What this snippet does is checks to see that the hidden field "Phone2" is null or empty and if not, flags the model state as being invalid which throws the form back to the user and displays your error message. If "Phone2" is null or empty then the Register action continues on as normal. If you want to localize your error you could do that as well but I don't really see the point.
Step 3:
Using Nop.Web.Views.Customer.Register add the following html helper somewhere inside the form tag. The form tag starts with the section of code that reads "@using (Html.BeginForm()){". Place this snippet AFTER the first bracket.
That's it! Recompile and publish. You should see a noticeable drop off in spam bot registrations after this.
Note: If you still see some registrations getting through you can always expand on this method by adding different types of form fields, asking your users to do simple math, etc. There are tradeoffs of course but at the bare minimum you should see better filtering with this method.
Hope this helps. Let me know if I left something out.
t
In my personal experience I have found the honeypot technique to be very effective. The basic premise is that a spam bot is searching for forms to enter junk information into. By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information. The spam bot will unknowingly fill all input fields and submit your form. The controller action that handles the form submission looks to see if anything has been filled in the honeypot and if it's filled, rejects the submission. Typically the spam bots are programmed to move on to the next easy target.
Here is a brief explanation of the steps necessary to create your own honeypot. I am using nop 2.8 source code version. If you are unsure how to use the source code edition there are plenty of great posts in this forum on how to do so.
Step 1:
Add a string field(or any other type you want) to Nop.Web.Models.Customer and label it anything you want.
public string Phone2 { get; set; }
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
if (!string.IsNullOrEmpty(model.Phone2))
{
ModelState.AddModelError("", "You appear to be a spam bot. Sorry Charlie no dice.");
}
What this snippet does is checks to see that the hidden field "Phone2" is null or empty and if not, flags the model state as being invalid which throws the form back to the user and displays your error message. If "Phone2" is null or empty then the Register action continues on as normal. If you want to localize your error you could do that as well but I don't really see the point.
Step 3:
Using Nop.Web.Views.Customer.Register add the following html helper somewhere inside the form tag. The form tag starts with the section of code that reads "@using (Html.BeginForm()){". Place this snippet AFTER the first bracket.
@Html.TextBoxFor(m => m.Phone2, new { style = "display: none" })That's it! Recompile and publish. You should see a noticeable drop off in spam bot registrations after this.
Note: If you still see some registrations getting through you can always expand on this method by adding different types of form fields, asking your users to do simple math, etc. There are tradeoffs of course but at the bare minimum you should see better filtering with this method.
Hope this helps. Let me know if I left something out.
t
团队成员
- 16619
- 155940
- 2008/10/22
- Armenia
joebloe wrote:
The idea is very good. But couldn't some browsers with autofill feature enabled pre-set this field? Phone2 could be used on some other site and your browser could remember it. It can cause some issues with real customers. Maybe, it's better to give it some other name, not "Phone2"
By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information
...
...
public string Phone2 { get; set; }
The idea is very good. But couldn't some browsers with autofill feature enabled pre-set this field? Phone2 could be used on some other site and your browser could remember it. It can cause some issues with real customers. Maybe, it's better to give it some other name, not "Phone2"
- 4
- 30
- 2013/3/6
- Bulgaria
joebloe wrote:
I am new to this, but I face the same problem on our server where we use nopCommerce for free, so I apologize in advance if I am wrong. Dear joebloe, in one of your previous posts sent four months ago you said that the controller validation should contain:
the "return View(model);" line is missing in your last post. But it must be present, right? This might be helpful to other users/customers who have missed your previous post.
Thank you once again, joebloe for this solution!
We have just recompilled our code using your solution and I hope that it will successfully work.
George.
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
if (!string.IsNullOrEmpty(model.Phone2))
{
ModelState.AddModelError("", "You appear to be a spam bot. Sorry Charlie no dice.");
}
I am new to this, but I face the same problem on our server where we use nopCommerce for free, so I apologize in advance if I am wrong. Dear joebloe, in one of your previous posts sent four months ago you said that the controller validation should contain:
if(!String.IsNullOrEmpty(model.Honeypot)
{
ModelState.AddModelError("HoneyPot", "You are a robot spammer. Get Lost.");
return View(model);
}
the "return View(model);" line is missing in your last post. But it must be present, right? This might be helpful to other users/customers who have missed your previous post.
Thank you once again, joebloe for this solution!
We have just recompilled our code using your solution and I hope that it will successfully work.
George.
- 220
- 1722
- 2010/1/2
- United States
gzashew wrote:
The original post I made was more generic in nature. The detailed post on this page is based on how you should do it using v2.8. In v2.8 you only need to add the ModelState error which will then trigger an invalid model state and return the model back to the user including all ModelState erorrs. The validation summary helper on the page will display whatever message you added.
So no, you don't need to return the model state based on v2.8.
Thanks for the heads up on that though. Those 2 examples I gave do conflict somewhat. For future users, use my more detailed post a few posts up from this one.
t
Step 2:
the "return View(model);" line is missing in your last post. But it must be present, right? This might be helpful to other users/customers who have missed your previous post.
the "return View(model);" line is missing in your last post. But it must be present, right? This might be helpful to other users/customers who have missed your previous post.
The original post I made was more generic in nature. The detailed post on this page is based on how you should do it using v2.8. In v2.8 you only need to add the ModelState error which will then trigger an invalid model state and return the model back to the user including all ModelState erorrs. The validation summary helper on the page will display whatever message you added.
So no, you don't need to return the model state based on v2.8.
Thanks for the heads up on that though. Those 2 examples I gave do conflict somewhat. For future users, use my more detailed post a few posts up from this one.
t
- 10
- 60
- 2011/2/16
- United States
There has been a HUGE swell of activity in the past few days from upwards of 50 new IP addresses not previously seen or blocked by my fw rules.
Enabling Captcha on 2.6 as previously suggested appears to have addressed the problem (fingers crossed)!
I was looking for this in the wrong place. To enable on 2.6 go here:
Configuration > General and Misc > Security Settings & Check "Show on Registration Page"
Separately I am told that the goal of these forum SPAM attacks all revolves around SEO... while email verification helped to stop this the noise in my customer list was getting out of control (>100,000 attempted registrations).
Enabling Captcha on 2.6 as previously suggested appears to have addressed the problem (fingers crossed)!
I was looking for this in the wrong place. To enable on 2.6 go here:
Configuration > General and Misc > Security Settings & Check "Show on Registration Page"
Separately I am told that the goal of these forum SPAM attacks all revolves around SEO... while email verification helped to stop this the noise in my customer list was getting out of control (>100,000 attempted registrations).
- 481
- 2782
- 2010/7/24
- India
joebloe wrote:
Which dlls & files need to be published?
would appreciate if Nop add honeypot in their next release.
Spam bot registration is a common problem with any website. Given that NopCommerce is a very popular open source shopping cart, it is not inconceivable that there are bots specifically targeting this platform. One of the techniques I employ in building any application for my clients is the "honeypot" technique. I did not invent this nor am I guaranteeing it's success.
In my personal experience I have found the honeypot technique to be very effective. The basic premise is that a spam bot is searching for forms to enter junk information into. By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information. The spam bot will unknowingly fill all input fields and submit your form. The controller action that handles the form submission looks to see if anything has been filled in the honeypot and if it's filled, rejects the submission. Typically the spam bots are programmed to move on to the next easy target.
Here is a brief explanation of the steps necessary to create your own honeypot. I am using nop 2.8 source code version. If you are unsure how to use the source code edition there are plenty of great posts in this forum on how to do so.
Step 1:
Add a string field(or any other type you want) to Nop.Web.Models.Customer and label it anything you want.
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
What this snippet does is checks to see that the hidden field "Phone2" is null or empty and if not, flags the model state as being invalid which throws the form back to the user and displays your error message. If "Phone2" is null or empty then the Register action continues on as normal. If you want to localize your error you could do that as well but I don't really see the point.
Step 3:
Using Nop.Web.Views.Customer.Register add the following html helper somewhere inside the form tag. The form tag starts with the section of code that reads "@using (Html.BeginForm()){". Place this snippet AFTER the first bracket.
That's it! Recompile and publish. You should see a noticeable drop off in spam bot registrations after this.
Note: If you still see some registrations getting through you can always expand on this method by adding different types of form fields, asking your users to do simple math, etc. There are tradeoffs of course but at the bare minimum you should see better filtering with this method.
Hope this helps. Let me know if I left something out.
t
In my personal experience I have found the honeypot technique to be very effective. The basic premise is that a spam bot is searching for forms to enter junk information into. By hiding a text box or other input in your registration form, a spam bot can still "see" the hidden input but doesn't know that your "honeypot" should not be filled with any information. The spam bot will unknowingly fill all input fields and submit your form. The controller action that handles the form submission looks to see if anything has been filled in the honeypot and if it's filled, rejects the submission. Typically the spam bots are programmed to move on to the next easy target.
Here is a brief explanation of the steps necessary to create your own honeypot. I am using nop 2.8 source code version. If you are unsure how to use the source code edition there are plenty of great posts in this forum on how to do so.
Step 1:
Add a string field(or any other type you want) to Nop.Web.Models.Customer and label it anything you want.
public string Phone2 { get; set; }
Step 2:
Using Nop.Web.Controllers.CustomerController expand the Register action result(there are 2 Register actions, it is the second one or the one that has "[HttpPost]" decorated on top). Insert this code snippet above the section of code that starts with "if (ModelState.IsValid)";
if (!string.IsNullOrEmpty(model.Phone2))
{
ModelState.AddModelError("", "You appear to be a spam bot. Sorry Charlie no dice.");
}
What this snippet does is checks to see that the hidden field "Phone2" is null or empty and if not, flags the model state as being invalid which throws the form back to the user and displays your error message. If "Phone2" is null or empty then the Register action continues on as normal. If you want to localize your error you could do that as well but I don't really see the point.
Step 3:
Using Nop.Web.Views.Customer.Register add the following html helper somewhere inside the form tag. The form tag starts with the section of code that reads "@using (Html.BeginForm()){". Place this snippet AFTER the first bracket.
@Html.TextBoxFor(m => m.Phone2, new { style = "display: none" })That's it! Recompile and publish. You should see a noticeable drop off in spam bot registrations after this.
Note: If you still see some registrations getting through you can always expand on this method by adding different types of form fields, asking your users to do simple math, etc. There are tradeoffs of course but at the bare minimum you should see better filtering with this method.
Hope this helps. Let me know if I left something out.
t
Which dlls & files need to be published?
would appreciate if Nop add honeypot in their next release.