Captcha not stopping spam?

[Countrymun]

Maybe I am being naive but I understood that putting a captcha in a form would stop the bots?

I added one yesterday to our new account sign-up page since we have been inundundated with new accounts from Russia including links to their special offers.

However, I did limit the captcha to 3 letters or numbers to make it easier for genuine customers - but couldn't see that would that make a diffference?

Thanks for any info.

 

[Raw Rob]

Bots can get around some captachas. And captchas can be "farmed" out to real humans.

https://www.nytimes.com/2010/04/26/technology/26captcha.html

https://anti- captcha.com/mainpage (I've purposly broken the link with a space, don't wan't to link to them, they are a captcha solving service!)

 

[Countrymun]

So what chance do we have [sigh] I can make the captcha longer/more complicated but then risk genuine customers being put off and the spam still getting through. Nightmare!

 

[Countrymun]

Anyone know if magento supports blocking new accounts from a specific country? most we are getting are .ru addresses - although there are a few .com in that but hopefully it would reduce the spam hugely.

 

[billybob99]

Anyone know if magento supports blocking new accounts from a specific country? most we are getting are .ru addresses - although there are a few .com in that but hopefully it would reduce the spam hugely.

If you think its better to just block certain dodgy users, try using Cloudflare.

You can either block countries completely or get them to do a more sophisticated captcha or challenge.

 

[Inva]

You can use your own verification. Never got spam using our own validations, while sometimes captchas can be bypassed. Widely used tools are always the target of automated attacks and for this reason sometimes they can lead to worse security, not better.

On the other hand, if someone is targeting you specifically, you better have some good security as no amount of validation is going to help.

If you will use a CDN i suggest you use a paid one, the free ones (including CloudFlare) are terrible.

 

[billybob99]

If you will use a CDN i suggest you use a paid one, the free ones (including CloudFlare) are terrible.

Maybe you don't know how to configure it properly.

 

[Countrymun]

Thank you for the replies. @Inva am not sure what you mean by using our own verification?

 

[Countrymun]

I have looked at Cloudflare - will the free version cover the country blocking - I can't quite decide from the description.
It also says I need to change nameservers - will that impact on the technical help I can get at the moment from our hosting company ?
thanks again for your help @billybob99

 

[Countrymun]

sorry - forget the second query about nameservers

 

[billybob99]

I have looked at Cloudflare - will the free version cover the country blocking - I can't quite decide from the description.

Yes, up to 5 countries.

 

[Countrymun]

Sorry, I am not very technical but a chat agent at GoDaddy claims if I subscribe to Cloudflare, I will need to move my hosting to them.

I assume that's not correct? He also suggested the problem would be solved by leaving gmal and using their 365 secure email system - although I had made clear it is web signups that are the problem - not spam coming on email

 

[fisicx]

No need for any of that faff. Just block by IP address:

https://uk.godaddy.com/help/block-ip-addresses-8868

Your visitor stats will give you the IP address range.

 

[billybob99]

Sorry, I am not very technical but a chat agent at GoDaddy claims if I subscribe to Cloudflare, I will need to move my hosting to them.

I assume that's not correct? He also suggested the problem would be solved by leaving gmal and using their 365 secure email system - although I had made clear it is web signups that are the problem - not spam coming on email

No because Cloudflare don't provide hosting. I've been hosting with my host for years and using Cloudflare. I used to waste time blocking IP addresses manually everyday, at least 50 a day, then I just blocked the countries that I didn't want.

I don't think the person you spoke to is very technical either. This might help you - or you're better off trying to speak to someone else within GoDaddy.

You could just block each IP address, after they've signed up and created an account - something you're trying to avoid and a waste of time.

Or just block by country if you don't serve that country anyway.

 

[Countrymun]

Well most of the signups are from Russia - and we've never sold to anyone there so can't see any problem blocking the whole country
Thank you again - really helpful. I will try to do it in the morning and hopefully it means I won't open the website backend on Monday and find another thousand non-existent customers! I really appreciate the help.

 

[Countrymun]

The good news is that switching nameservers to Cloudflare appears to have stopped the fake sign-ups. The bad news is that customers today have been unable to add items to their shopping basket - it throws them back to home page (as does clicking on some product links - eg 'click here to measure for your dog coat' is also throwing people back to the home page - although not every time. I have gone to frontend and about 1 time in 3 it sends me back to home page..
I guess I am going to have to cancel Cloudfare and go back to original nameservers if it doesn't resolve overnight (we redirected to cloudflare almost 24 hours ago so I am desperately hoping that it's a glitch which will resolve after a few hours) but we can't afford to lose genuine customers - so if it doesn't resolve then it will be back to the drawing board

 

[billybob99]

The good news is that switching nameservers to Cloudflare appears to have stopped the fake sign-ups. The bad news is that customers today have been unable to add items to their shopping basket - it throws them back to home page (as does clicking on some product links - eg 'click here to measure for your dog coat' is also throwing people back to the home page - although not every time. I have gone to frontend and about 1 time in 3 it sends me back to home page..
I guess I am going to have to cancel Cloudfare and go back to original nameservers if it doesn't resolve overnight (we redirected to cloudflare almost 24 hours ago so I am desperately hoping that it's a glitch which will resolve after a few hours) but we can't afford to lose genuine customers - so if it doesn't resolve then it will be back to the drawing board

Name server changes usually take about 24 to 48 hours to fully start working. It takes a while for root name servers and cache records across the entire web to be updated with your website's DNS information.

I just went on your website and added several things to the cart and didn't have any issues.

Worse case you can always revert to the original name servers if you must. But if done correctly, and it was just the name servers that were updated then there shouldn't be any issues.

 

[Countrymun]

Thank you @billybob99 - yes, I tested it last night and this morning and it is now allowing people to check out - and the links to measuring guides are working again.
What is drving me insane is that even now, when trying to log into backend of magento, it is forwarding me to the customer home page.
I am on Chrome but have tried it on Edge as well. It is now letting me log in about once every 8 attempts but it's a real pain. I have cleared history, cache etc but still happening most time.
We have an online chat - and I can see myself on there as referred by the backend url. Hopefully it will resolve soon
Still no Russian spam !!

 

[Raw Rob]

There is a setting to move the admin to a separate domain (at least there is in 2.3) although I haven't tried it, but you could move the admin to a sub domain (eg admin.yoursite.com) and don't use Cloudflair for that domain.

And a temporary work around, increase the Admin timeout so that you never get logged out (I had to also adjust some PHP settings to get that to work), I have it set at 48 hours so as I always use it more often than that I generally stay logged in.

 

[Countrymun]

Back to the drawing board Things seemed okay for a couple of days but then customers again began reporting it kept throwing them back to home page and the links to measuring pages didn't work. It was also very difficult to log into backend - kept going to customer home page - even on a different machine.
I have now read that Cloud flare free version doesn't work with SSL and we would have to use the paid version.
So, old nameservers are back - as is the spam. But the good news is that Jan 31 has passed so tax returns are over for another year

 

[Countrymun]

In magento backend, under system/config/general, there is a countries option which says you can allow specific countries - and then there is a list of virtually every country on the planet.
I assume if there is a menu, it should allow me to exclude certain ones from the list but I can't find a way to do that. Clicking on a country highlights it but there doesn't seem to be a way to actually choose them. I assume maybe this is just showing me which countries are allowed and that there is a menu elsewhere to actually set those countries? If anyone can point me in the right direction, that would be great.
many thanks

 

[Raw Rob]

Usually you hold the Control key down to select multiple options. But I don't think the option you are talking about will actually block countries from accessing your site, it just won't let you select that country when creating an account/checking out. As I think has already been mentioned, you need to use some kind of firewall, it's not going to be an option in Magento, it's something you (or your hosting provider) needs to set up on the web server.

 

[billybob99]

Back to the drawing board Things seemed okay for a couple of days but then customers again began reporting it kept throwing them back to home page and the links to measuring pages didn't work. It was also very difficult to log into backend - kept going to customer home page - even on a different machine.
I have now read that Cloud flare free version doesn't work with SSL and we would have to use the paid version.
So, old nameservers are back - as is the spam. But the good news is that Jan 31 has passed so tax returns are over for another year

That is a shame. There seems to be an issue during the setup process for sure, as I'm using the free version on different sites with SSL without any issues.

You have to turn off SSL in the Cloudflare admin panel first before switching it to full or flexible. But if GoDaddy are too incompetent to help then what you've done might be best for now.

 

[Countrymun]

Thanks to everyone who has offered help and advice - it's really appreciated.
Sadly I have been told the firewall solution is not possible since we have shared hosting plan.
A magento geo-ip extension was suggested but so far the ones I've found are pretty expensive.
I think someone on here previously suggested having a hidden text box that only a bot would fill in. I am not too techie (as I am sure is obvious by now) but I will see if I can find out how to do that.
The other option is to change hosting I guess and not have a shared plan but I assume the cost will be a lot higher.
Thanks again to everyone who took the time to respond

 

[Raw Rob]

Is your store fast enough on shared hosting? I imagine switching to a VPS (Virtual Private Server) would enable you to make it run faster.

 

[Neromare Works]

Is your store fast enough on shared hosting? I imagine switching to a VPS (Virtual Private Server) would enable you to make it run faster.

Why not Cloud. Just needs a fast Cloud. 99.9% of all Hosting providers are weak and super overrated.

 

[Countrymun]

Hi @Raw Rob - the problem is really with bots "opening" an account - in that they fill all the boxes with rubbish along with their sales message so if it stops them creating an account, that would be good.
I am not technical and unsure about a virtual server but most of the time the website seems to work at an acceptable speed (I think- judging by reports I have run in the past).
When you say hold control to select multiples, I assume I select those countries that I WANT to allow - eg UK, USA rather than those I want to exclude? The menu does say "allowed countries" but I don't want to mess it up and exclude UK etc
Thanks again for your help.

 

[Raw Rob]

the problem is really with bots "opening" an account - in that they fill all the boxes with rubbish along with their sales message so if it stops them creating an account, that would be good.

But it won't stop the bots opening an account - it will just remove those countries from the drop down list, it won't stop bots which are in those countries.

 

[Countrymun]

Ah - it says "allowed countries" so I assumed that meant if they weren't on that list of countries, they couldn't open an account
Thanks!

 

[Raw Rob]

They can't, as in the country won't be on the drop down list, but the bot doesn't care, it will choose any country. You've got to remember that physical location is not always the same as ip address which is also not always the same as account location. (I'm currently in Portugal, but my ip address usually shows up as Greece or Italy because I use satellite internet. But my business is in the UK, so when I buy online I use a UK bank card with a UK billing address and a UK delivery address.)

 

[Countrymun]

Ah, I see. Back to the drawing board (again

 

[billybob99]

Ah, I see. Back to the drawing board (again

Not sure if this will help you.

 

[Countrymun]

Thank you @billybob99 - I will look at that. But we now seem to have a new problem.
When a customer orders by phone, I create their order in the backend and have done this for years. But today I have tried to put an order on the system and when I click to add products, nothing happens. I wondered if it was because the customer had ordered before and it didn't want to accept her again so I went into Manage Customers - and somehow, the only customers showing are all the Russian fake sign-ups plus one UK customer that I added earlier in week. The only thing I have done this week is to reset the countries location Previously it allowed all countries and I stupidly thought that by blocking Russia it would solve the problem. Raw Rob put me right on that so I have tried putting that back to allow all countries but still none of our real customers are there.
I really don't think I changed anything else but if someone knows there is a setting that would do this, please let me know so I can correct it. Our orders page still works okay - I can see all previous orders but in manage customers, none of them appear - yikes!

 

[husseycoding]

@Countrymun if you are running a Magento 1 store you might want to give the an open source extension a go which I developed some time ago. Unfortunately I can't actually post a link as I don't have 30 posts yet, but I've installed it to countless stores with similar spam issues, and very recently to a couple with essentially identical spam accounts being created and it has resolved the issue immediately with so far 100% success rate with no need to do anything like restricting countries etc.

The extension is used for the contact form by default, but can very easily be added to any other form you want i.e. account creation. The prevention works by making the form submission success dependent on an additional request being sent to the server after the initial page load. As far as the browser is concerned the request returns just a 1px invisible image, but in reality is generates a random string unique to each user and stores that random string to the users session. The request also creates a cookie containing that random string. When the form is submitted, the presence and value of the cookie is checked against the value stored in the users session and if they match the request is allowed to proceed as normal and the for is submitted, otherwise the request is stopped. The cookie cannot be spoofed as it won't then match the value in the users session.

Over the years of using it, the solution has proved extremely effective on all stores I have used it on in completely eliminating spam so you might want to give it a go on yours as well. If you would like to, search on GitHub for the 'husseycoding' user (which is me) and then the look at my repositories for 'cookiesforcomments'. This is the extension you need. If you want to get in touch for instructions on how to customise it for any form then just drop me a note, or I can even do it for you - it's so quick I don't mind doing it as a freebie.

 

[Countrymun]

Thank you so much for the help/info @husseycoding - I have sent you a private message.
Thanks again!

 

[Mark_Taylor_]

I've fixed two different aggressive spam bots recently using two different methods.

1. install the honeypot module, set the hidden field value to "web_url" and set the spam index setting / value to 7. This stopped a certain type of bot. google "magento-hackathon/ HoneySpam"

2. A second bot was adding long forename text stings, so I edited the max allowed length in the database (the number was in a json sting if i remember).

I can review the code and give exact details if that would be helpful... both of this methods have stopped 100% of spam in the last few weeks.

 

[Sparetoolparts]

I had similar issues got captcha installed but bots kept adding fake accounts and crawled the life out of the site draining all memory

I got a pluggin from a fish pig.co.uk which uses hidden forms etc to get dodgy IP addresses then blocks them. To date It haS caught over 1500 bots and I have had no more fake accounts and site is now stable for the 1st time in ages.

My host is also applying daily IP bans based off data coming from security websites

 

[edmondscommerce]

We generally recommend using recaptcha rather than any built in captcha, its probably the strongest one out there and also offers the smoothest experience to most normal users

combining multiple strategies can work, but generally we've found that the thing that always works is recaptcha

 

[Sparetoolparts]

just an update on the pluggin I got

I've not had a single bogus signup since and it has blocked over 1867 bad bots from crawling my site and as a result my site is so much more stable

 

[Dillon Lawrence Ltd]

just an update on the pluggin I got

I've not had a single bogus signup since and it has blocked over 1867 bad bots from crawling my site and as a result my site is so much more stable

Glad you found something that worked out. Thanks for the update.