OpenCart Community

OpenCart Community Forum - Discuss shopping cart and e-commerce solutions.
https://forum.opencart.com/

Customer registration hassle

https://forum.opencart.com/viewtopic.php?t=230843

Page 1 of 3

Customer registration hassle

Posted: Tue Feb 28, 2023 3:44 am
by gsc1ugs
What are the best settings to stop invalid customers trying to register with daft details and invalid emails? clouding up my admin and i have to keep deleting?

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 4:58 am
by ADD Creative
Ban by IP or user agent in htaccess.

Implement some sort of CAPTCHA at registration. The ones included in OpenCart might not be that effective, but there are other in the marketplace that may work better.

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 8:22 am
by by mona
First line of defence:

in htaccess:
1) block any request with a host header stating your server ip address instead of your domain
2) block any request with a protocol lower than http/1.1, i.e. http/0.9 and http/1.0
3) block any POST request without a language accept header

1 and 2 will cover about 95% of all covert bots, 3 will cover public bots as well.
For the remaining, better constructed bots (as in trying to pretent to be human), add an extension like spambuster by Neuhoff or something similar that is avialable in the marketplace.

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 4:46 pm
by gsc1ugs
Are these all extensions? Is there no settings for verify account via email because the emails are all nonsense made up along with tel numbers

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 5:04 pm
by ADD Creative
No, not extensions. They are rules your can add to htaccess. However there are extensions in the marketplace that block spam bots from registering.

There is no setting to verify account via email in OpenCart. You could try searching the marketplace, but unless it deletes they unverified accounts it wouldn't make much difference.

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 8:27 pm
by JNeuhoff
Use the SpamBot Buster which prevents these nasty fake account registrations coming from bots quite effectively.

Re: Customer registration hassle

Posted: Tue Feb 28, 2023 8:42 pm
by paulfeakins
This should help: https://www.opencart.com/index.php?rout ... er=antropy

Re: Customer registration hassle

Posted: Thu Mar 02, 2023 4:25 pm
by gsc1ugs
This is what im talking about

A new customer has signed up:

Web Site: www.clearvape.com
First Name: Raymondnum
Last Name: RaymondnumOP
Customer Group: Customer
E-Mail: first_of_all@rambler.ru
Telephone: 85799641642

Re: Customer registration hassle

Posted: Thu Mar 02, 2023 5:25 pm
by SohBH
Enable Basic Captcha extension.

Re: Customer registration hassle

Posted: Thu Mar 02, 2023 7:08 pm
by gsc1ugs
How does "i am not a robot" work from google?>?

Re: Customer registration hassle

Posted: Thu Mar 02, 2023 7:27 pm
by paulfeakins
gsc1ugs wrote:
Thu Mar 02, 2023 4:25 pm
 Web Site: www.clearvape.com
First Name: ***
Last Name: ***
Customer Group: Customer
E-Mail: ***@***.ru
Telephone: ***
If that's a real customer that's a pretty serious GDPR breach ::)

Re: Customer registration hassle

Posted: Thu Mar 02, 2023 10:13 pm
by JNeuhoff
This thread is 3 days old now, and suggestions were posted here on how to prevent these fake account registrations, and still you haven't taken any actions yet?

Re: Customer registration hassle

Posted: Fri Mar 03, 2023 9:03 am
by by mona
you can set rules in mod security if your host allows it or just in your apache conf/htaccess file like:

Code: Select all

# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a bad bot targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ - [END,R=421]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1 which is also a wrong host
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ - [END,R=421]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ - [END,R=426]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be posting and where.
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ - [END,R=406]
# --------------------------------------------------------------------------------------
Or you can direct these conditions (and others) to a php file (hta.php in this case) for better tracking as to why the server config rejects something by creating said php file with:

Code: Select all

<?php
define('EXITLOG', 'path to your oc error log file');

function exit_log_prepare () {
global $exitlog_handle;
$exitlog_handle = fopen(EXITLOG, 'a');
if (!$exitlog_handle) {
error_log('HTA:Error: can't open '.EXITLOG.' file');
} elseif (!flock($exitlog_handle, LOCK_EX)) {
error_log('HTA:Error: can't get a lock on '.EXITLOG.' file');
}
}

function exitlog_write($log = false) {
global $exitlog_handle;
if ($exitlog_handle) {
fwrite($exitlog_handle, '['.date('Y/m/d H:i:s').'] '.$log."\n");
} else {
error_log('HTA: Cannot use '.EXITLOG.', fallback to php error log.');
error_log($log."\n");
}
}

// the basics
$ip = $_SERVER['REMOTE_ADDR'];
$host = ($_SERVER['HTTP_HOST'] ?? '');
$url = ($_SERVER['REQUEST_URI'] ?? '');
$query = ($_SERVER['QUERY_STRING'] ?? '');
$method = ($_SERVER['REQUEST_METHOD'] ?? '');
$user_agent = ($_SERVER['HTTP_USER_AGENT'] ?? '');
$referer = ($_SERVER['HTTP_REFERER'] ?? '');
$protocol = ($_SERVER['SERVER_PROTOCOL'] ?? 'HTTP/1.1');

exit_log_prepare ();
$condition = (isset($_SERVER['REDIRECT_CONDITION']) ? $_SERVER['REDIRECT_CONDITION'] : false);
if ($condition) {
// parse the environment variable condition
$parts = explode('_',$condition);
$res = (isset($parts[0]) ? $parts[0] : '');
$reason = (isset($parts[1]) ? $parts[1] : '');

// get the request headers
$aheaders = array_change_key_case(apache_request_headers(),CASE_LOWER);

// log report by default
$report = true;

// don't log request headers by default
$report_aheaders = false;

// check response codes and what to do with them
if ($res == '421') {
$response = '421 Misdirected Request';
$report = false;
$report_headers = true;
} elseif ($res == '426') {
$response = '426 Upgrade Required';
$report = false;
} elseif ($res == '406') {
$response = '406 Not Acceptable';
} else {
$response = '503 Service Unavailable';
exitlog_write('HTA:['.$ip.'] No valid response code given:['.$res.'], responding with default 503);
$report_headers = true;
}

// remove any headers we might have set
if (!headers_sent()) header_remove();

// log report
if ($report) exitlog_write('HTA:['.$ip.']['.$response.'] because of ['.$reason.'] requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
// log request headers
if ($report_aheaders) exitlog_write('HTA:['.$ip.'] '.print_r($aheaders,true));
} else {
exitlog_write('HTA:['.$ip.'] No valid condition given, responding with 503 requesting ['.$protocol.']['.$method.']['.$url.$query.'] with agent['.$user_agent.'] referred by ['.$referer.']');
$response = '503 Service Unavailable';
}
fclose($exitlog_handle);

// set the final response header
header($protocol.' '.$response, true);
exit();
and then the htaccess rewrite rules would become like this and rejected request (for which you set report = true) would be logged in your oc error log :

Code: Select all

# 1--------------------------------------------------------------------------------------
# your server ip in host request header, always a useless bot, targetting on ip space scans.
# apache will use the first VH if it cannot find a proper match which basically allows scanners to target the server by ip only.
# 421 misdirected request
#
# requested host contains server ip address
RewriteCond %{HTTP_HOST} xxx\.xxx\.xxx\.xxx
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_IpInHost]
# 2--------------------------------------------------------------------------------------
# wrong host, always a useless bot, basically also covers rule 1
# 421 misdirected request
#
# requested host not containing your domain name
RewriteCond %{HTTP_HOST} !your-domain-name [NC]
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:421_WrongHost]
# 3--------------------------------------------------------------------------------------
# http/0.9 or http/1.0, cheap bots
# 426 upgrade required
#
# http/1.0
RewriteCond %{THE_REQUEST} HTTP/1\.0 [OR]
#
# http/0.9
RewriteCond %{THE_REQUEST} HTTP/0\.9
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:426_WrongProtocol]
# 4--------------------------------------------------------------------------------------
# POST without accept-language header, always a bot but also legit bots like googlebot, bingbot, etc.
# whitelist any bot which should be allowd to post and where!
# 406 Not Acceptable
#
# POST method used
RewriteCond %{REQUEST_METHOD} POST
#
# whitelist possible callbacks (paypal)
RewriteCond %{QUERY_STRING} !callback
#
# no language accept header, most and only bots ommit this
RewriteCond %{HTTP:Accept-language} ^$
#
RewriteRule ^.*$ /hta.php [END,NE,E=CONDITION:406_PostNoLAHeader]
# --------------------------------------------------------------------------------------
It does then involve invoking PHP but it does give better insight into what is happening and why.

Re: Customer registration hassle

Posted: Fri Mar 03, 2023 10:14 pm
by gsc1ugs
:o

Re: Customer registration hassle

Posted: Fri Mar 03, 2023 10:22 pm
by gsc1ugs
I have enabled google captcha v3 and put site key and secret key in but nothing shows on the registration page, is there something else i need to add?

Re: Customer registration hassle

Posted: Sat Mar 04, 2023 12:59 am
by ADD Creative
Check the Captcha settings under the Option tab in the main OpenCart settings.

Re: Customer registration hassle

Posted: Sat Mar 04, 2023 7:13 am
by gsc1ugs
ADD Creative wrote:
Sat Mar 04, 2023 12:59 am
 Check the Captcha settings under the Option tab in the main OpenCart settings.
Cant see any options for captcha

Re: Customer registration hassle

Posted: Sat Mar 04, 2023 8:10 am
by ADD Creative
What version of OpenCart?

Re: Customer registration hassle

Posted: Sat Mar 04, 2023 6:42 pm
by gsc1ugs
ADD Creative wrote:
Sat Mar 04, 2023 8:10 am
 What version of OpenCart?
2.0.2.0

Re: Customer registration hassle

Posted: Sat Mar 04, 2023 9:20 pm
by ADD Creative
That's why. CAPTCHA for the registration page was only added in OpenCart 2.1.x.
All times are UTC+08:00
Page 1 of 3
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/