-
non-CAPTCHA and Honey-pots
Creative ways of defeating SPAM!
Its a never ending war to stop advertisers from wasting our time while maintaining the ability to communicate with our guests and users. You may never stop it without affecting user feedback.
I was adding to my blog about coding Honey-pots and some of the ideas behind it. Things I use on my own site. We keep talking about the idea of honey-pots and non-CAPTCHA style of tests, but only CAPTCHA was ever created as a mod!
Instead of discussing what one can code, I've created a simple mod for two honey-pots and a non-Completely Automated Public Turing test to tell Computers and Humans Apart or non-CAPTCHA. The auto-install of 9 Configurations in Layout Settings is to aid in non-coding changing of field names and settings for the slider.
Based on ZC1.5.5f
What's in it..
An update to the hidden input field should_be_empty.
A new hidden set of two radio fields that also tests as empty or false.
A non-hidden user adjusted answer slider, the non-CAPTCHA part of this mod.
I wanted to Keep It Stupid Simple with the least amount of added or affected pages. In use on my contact us page.
DOWNLOAD: zenNonCAPTCHA
-
Re: non-CAPTCHA and Honey-pots
I just sent in another update. Based on some more testing with the added variable '$userspam' it wasn't getting hit without adding more checks.
Changed to '$antiSpam .= ' the DOT EQUAL makes the same existing checks for both fields work without adding more code.
For best results, after install, change the three field names in Admin, Configuration, Layout Settings From Should_be_ to something else.
-
Re: non-CAPTCHA and Honey-pots
Is there any reason why the form would submit even if the slider is incorrect? I installed it on our site, but it still submits the form even though the slider doesn't say HUMAN.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
Jeff_Mash
Is there any reason why the form would submit even if the slider is incorrect? I installed it on our site, but it still submits the form even though the slider doesn't say HUMAN.
If its not installed correctly or the header page has no antiSpam checks, then it would not work...
-
Re: non-CAPTCHA and Honey-pots
A very nice and unfortunately needed addition to ZC!
I'm running ZC 1.5.5b and the installation was smooth as silk into my free responsive template that I'm using.
I did notice one thing that I think is minor but felt compelled to bring it up. After installing I was doing some testing and If the slider is set correctly by the human AND any or all the other traps are monkeyed with the submission appears to have been successful to the user. However, nothing is sent. So the system says thank you and your message has been sent when in reality, it was not sent because it failed due to something being in the fields that should have been untouched.
If the slider bar is not set to HUMAM then the system gives the "you're not human enough yet" error message and it's clear that your message did not get sent.
Not sure if this is by design or if I have something that I must tweak.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
lynbor
Not sure if this is by design or if I have something that I must tweak.
As designed honey-pots are set so bots get the success page if they fill in the field and move on, spam is not sent. The input field and radio fields should never be seen my humans. both fields have info that they should not be used... The slider is not using the word 'Human' as the test, bots see text input field or numbers, but I've not had one guess right yet, even my own bot! With 1 correct answer out of possible 50 is what the bots are up agents.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
As designed honey-pots are set so bots get the success page if they fill in the field and move on, spam is not sent. The input field and radio fields should never be seen my humans. both fields have info that they should not be used... The slider is not using the word 'Human' as the test, bots see text input field or numbers, but I've not had one guess right yet, even my own bot! With 1 correct answer out of possible 50 is what the bots are up agents.
Ah, so the answer is that the human isn't supposed to be seeing those fields but is so I need to try and figure out how to hide them so they only see the slider.
-
Re: non-CAPTCHA and Honey-pots
Bingo!
Added
Code:
.email-pot {
visibility: hidden;
}
to the bottom of the CSS file and that hid what needed to be hidden from the HUMAN. Hope that is correct.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
lynbor
Bingo!
to the bottom of the CSS file and that hid what needed to be hidden from the HUMAN. Hope that is correct.
I've had that in my site main css for so long, I've missed adding it to the mod...
to hit all the devices out there try this..
Code:
.email-pot {position:absolute; visibility:hidden; display:none;}
Some folk position the field off screen to hide it, however, that makes the screen jump when you hit submit or other buttons. In testing I comment out the class so I can be the bot.. I'll have to send in an update...
Thanks for the catch..
-
Re: non-CAPTCHA and Honey-pots
Dave,
Thank you so much for this captcha! I was apprehensive about using Google's recaptcha, but came across your mod and loved it.:D
-
Re: non-CAPTCHA and Honey-pots
So, I take it we're not using display:none as it will also not display it to the bots? Would be nice to not have the big blank areas of the page.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
dbltoe
So, I take it we're not using display:none as it will also not display it to the bots? Would be nice to not have the big blank areas of the page.
inline styles are easy to spot or code into bots to spot... I've not had any blank areas using the responsive classic template or a plain html page..
Code:
<div class="email-pot">
<label for="email-us"></label>
<?php echo zen_draw_input_field(SPAM_TEST_TEXT, '', ' id="email-us" title="do not fill in!" placeholder="do not fill in!" autocomplete="off"', 'email'); ?>
</div>
The last update should have place this into the css file..
Code:
.email-pot {position:absolute; visibility:hidden; display:none;}
The entire DIV is hidden! Pointers or link please...
@one tall man
Thanks
-
Re: non-CAPTCHA and Honey-pots
No problem with the execution. Just wondering why the double use.
visibility:hidden, by design, makes the item invisible but leaves the space the item would need if not hidden.
display:none, by design, makes the item AND the space it would occupy go away. Cleaner method.
But, my question was whether one or the other would affect the way a bot sees the page. Google will actually look at items even if set to display none.
Is using either the visibility or display inadvertently aiding the bots by eliminating the listing intended to trap them in the first place?
If not, perhaps display:none is the ticket.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
dbltoe
No problem with the execution. Just wondering why the double use.
visibility:hidden, by design, makes the item invisible but leaves the space the item would need if not hidden.
display:none, by design, makes the item AND the space it would occupy go away. Cleaner method.
But, my question was whether one or the other would affect the way a bot sees the page. Google will actually look at items even if set to display none.
Is using either the visibility or display inadvertently aiding the bots by eliminating the listing intended to trap them in the first place?
If not, perhaps display:none is the ticket.
See, I'm not an css expert... but I just did a search and figured it out... The info, groups discussing honey pots came up with display:none, visibility: hidden, opacity: 0 and position off screen. In FireFox positioning off screen makes the page jump to the top.. I see now Visibility hidden, would not be that grate ether... I thought I read something about IOS, Android needing one or the other... but not finding it now. My bad for not Googling css tricks on it better.
Bots are blind so hiding the input field is to keep humans from entering info and killing the form. Which is a good method to test the form. Bots are looking for form elements in HTML rendered pages to fill in. If I know the field name 'should_be_empty' I can add that field to be bypassed. I like to keep the fields looking the same as my other fields to keep the html clean and harder to find the hidden fields. Which is why I went with the field names editable in admin.
When I finish upgrading things, I'll do an update and just do the display:none; or is there a better way!
-
Re: non-CAPTCHA and Honey-pots
As my Welsh-Irish Grandfather used to say, "Max Nix.":P
display:none is "more purdy" as long as it doesn't alert the bots, I'm happy with that.
-
Re: non-CAPTCHA and Honey-pots
TNX Dave,
Was holding out installing in our zc154 site until after the upgrade to 156a.
The bots have the honeypot used in the Pica-Fluor templates figured out and I couldn't wait any longer. Both on contact-us and create account.
The 3 hits of contact-us, post, success was less than 10 seconds for the bots.
Zero since installing this.
-
Re: non-CAPTCHA and Honey-pots
hi i am sorry if this has been answered before but i have been sitting up all night trying to fix issues on my site since installing this plugin, is there a way to remove it?
-
Re: non-CAPTCHA and Honey-pots
i keep getting an error : You don't seem to be Human yet!
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
sweetmade
hi i am sorry if this has been answered before but i have been sitting up all night trying to fix issues on my site since installing this plugin, is there a way to remove it?
Looks like I totally messed setting up a uninstaller... delete the admin extra function init_noncaptcha.php file before running the sql or it would install again.. Replace all edited files with there original unedited files.
in admin tools, install sql patches, paste the following and run to remove.
Code:
DELETE FROM configuration WHERE configuration_key = 'SPAM_TEST_TEXT';
DELETE FROM configuration WHERE configuration_key = 'SPAM_TEST_USER';
DELETE FROM configuration WHERE configuration_key = 'SPAM_TEST_IQ';
DELETE FROM configuration WHERE configuration_key = 'SPAM_TEST';
DELETE FROM configuration WHERE configuration_key = 'HUMAN_TEXT_DISPLAYED';
DELETE FROM configuration WHERE configuration_key = 'HUMAN_TEXT_NOT_DISPLAYED';
DELETE FROM configuration WHERE configuration_key = 'SPAM_ERROR';
DELETE FROM configuration WHERE configuration_key = 'SPAM_USE_SLIDER';
DELETE FROM configuration WHERE configuration_key = 'SPAM_ANSWER';
Quote:
Originally Posted by
sweetmade
i keep getting an error : You don't seem to be Human yet!
The human test is based on a number set in SPAM_TEST.. Must be a number, words would fail. The number must be between the minimum and maximum set in the input field. I would suggest not using the max number for the test. Bots seem to pick the max number.
Some things that would help us help you would be a link to the site if possible, version of zen cart and php? Are there any error logs?
-
Re: non-CAPTCHA and Honey-pots
Just grateful for this mod... thank you davewest!
-
Re: non-CAPTCHA and Honey-pots
Hello All,
I've installed this mod on Zen 154. When a new customer enters their info and clicks "Submit the Information" register they get a white screen with "var-type undefined: stringIgnoreNull(TheirName)" in the upper right.
Have I missed something in the install or should I not be using this on 154?
Any help is appreciated. Thank you.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
kcb410
Hello All,
I've installed this mod on Zen 154. When a new customer enters their info and clicks "Submit the Information" register they get a white screen with "var-type undefined: stringIgnoreNull(TheirName)" in the upper right.
Have I missed something in the install or should I not be using this on 154?
Any help is appreciated. Thank you.
If you dragged and dropped on a vanilla ZC 155f, you would be OK, but any other ZC or modified 155f, you would need to do a compare and just do the edits for the spam test.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
If you dragged and dropped on a vanilla ZC 155f, you would be OK, but any other ZC or modified 155f, you would need to do a compare and just do the edits for the spam test.
Thanks Dave. I'll try the compare and merge.
-
Re: non-CAPTCHA and Honey-pots
I decided to look at it in my seldom used IE and find a problem with the display, but not the function. "Value: 25" always shows no matter what number is chosen as the key or on the slider. The ball is missing as well, although there is a ghost of it moving with the pointer. Has anyone come across this? It works fine in FireFox and Chrome. Many of our customers still use IE.
-
Re: non-CAPTCHA and Honey-pots
This must be a css issue but i'm so rusty on that. Not sure if the constant "Value 25" is a css thing. Insights appreciated.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
This must be a css issue but i'm so rusty on that. Not sure if the constant "Value 25" is a css thing. Insights appreciated.
You didn't say what IE version... if its less then 9, the slider may show as an input field.. The value field is done with JS, if missing, no value is displayed. I'm unable to find anything that's older then IE9 to test with! Browsers capable of HTML5 would display the slider, older ones need JS to do sliders.
-
Re: non-CAPTCHA and Honey-pots
I looked at it in a very old ie where, you are right, there is an input field. My Windows 7, IE 11 is the one I'm working on where the slider ignores the word "human" and does not show the selection in the "value:" I can play with the css to show the ball instead of a ghost, but the js to move the "value:" & the word "human" as the slider moves may be beyond me.
-
Re: non-CAPTCHA and Honey-pots
Thank you. So take a look at this in IE 11. I made a few changes to the css that show the slider with a contrasting color rather than a ball without compromising the look of it in FireFox. Still need the Human word to show. Since I know the number I can move the slider in IE 11 and it will send an email but there is no way for the customer to know they found "Human". see w h b e e . com/index.php?main_page=contact_us
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
Thank you. So take a look at this in IE 11. I made a few changes to the css that show the slider with a contrasting color rather than a ball without compromising the look of it in FireFox. Still need the Human word to show. Since I know the number I can move the slider in IE 11 and it will send an email but there is no way for the customer to know they found "Human". see w h b e e . com/index.php?main_page=contact_us
Link was no help, lead me to a bee site with many issues, but no contact form or any others I could find.. The word is for human to read, it matters not to the test which is based on the number you selected in the admin layout settings.
I used some basic css styling for the slider. I have a different style for my own page where the ball is an icon.. You can use cross browser css for catching IE bugs.
After many years of fighting windoze I gave it up and moved on to Linux.. I have the slider in use on my site.
-
Re: non-CAPTCHA and Honey-pots
zc156a the slider works well in Chrome and Firefox.
I decided to test in IE and Edge and the result is zilch. The slider line displays in IE and Edge but the ball does not. This is on a vanilla install.
WAMP 3.1.6, Apache 2.4.33, PHP 7.3.1, MySql 5.7.21, Windows 10
-
Re: non-CAPTCHA and Honey-pots
I understand not wanting to style for IE but 18% of our users on our main site, (not the link I gave you-that is a test site)... 18% still use ms IE.. more than use FireFox. I can't go live with the slider until it works. What is happening is the count that changes with the slider is not showing the word "Human" but if you land on the number set in Admin the form works. In the "Value:25" displayed to the customer, the number 25 never changes with the slider like it does in FireFox. For anyone working on this here is the change I made to the css to get it to at least show up in IE
Code:
/* The slider itself */
.slider {
-webkit-appearance: none;
width: 100%;
height: 5px;
border-radius: 5px;
background: #C90;
outline: 3px;
opacity: .7;
-webkit-transition: .2s;
transition: opacity .2s;
}
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
I understand not wanting to style for IE but 18% of our users on our main site, (not the link I gave you-that is a test site)... 18% still use ms IE.. more than use FireFox. I can't go live with the slider until it works. What is happening is the count that changes with the slider is not showing the word "Human" but if you land on the number set in Admin the form works. In the "Value:25" displayed to the customer, the number 25 never changes with the slider like it does in FireFox. For anyone working on this here is the change I made to the css to get it to at least show up in IE
Code:
/* The slider itself */
.slider {
-webkit-appearance: none;
width: 100%;
height: 5px;
border-radius: 5px;
background: #C90;
outline: 3px;
opacity: .7;
-webkit-transition: .2s;
transition: opacity .2s;
}
Its not an issues designing for IE, I don't have access to MS products outside of VM. With any browser that supports HTML5, the slider should appear without any added css!
The value display is done with a jQuery script! if scripting is turned off or jQuery base not installed, then the word human or numbers would not get displayed or updated... The slider is just one of many styles of easy testing. You could use a simple question and answer input field for all as 2+2= Or not use any tests... the two hidden fields work grate without testing... One really don't need the slider!! I would be interested to see if your IE11 can see the slider on my site! I don't use the same css as what was sent in... We also have ways of working with IE bugs...
For info, -webkit-appearance: none; and -moz-appearance: none; is turning off the default browser css which means you need to design it yourself. Comment out the css and the default browser css takes over. For some good reading https://developer.mozilla.org/en-US/...CSS/appearance
-
Re: non-CAPTCHA and Honey-pots
Thank you for the link... I'll work on understanding this... sorry for not getting that about the hidden fields. The spam has certainly stopped! Yes, your Contact Us form does look and act the same as in my IE 11 browser. Thank you for all your work on this and for sharing.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
Thank you for the link... I'll work on understanding this... sorry for not getting that about the hidden fields. The spam has certainly stopped! Yes, your Contact Us form does look and act the same as in my IE 11 browser. Thank you for all your work on this and for sharing.
No problem... here's a fix for IE issues... others are reporting the same with other jQuery slider code.. Around IE 7 to current IE auto goes into compatibility (quirk) mode with just the <!DOCTYPE html>
The fix was found that adding the following meta tag resolved there issues... I just added to my own html_header.php file.
Code:
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
Give it a try and let me know...
-
Re: non-CAPTCHA and Honey-pots
Darn... nope. I added "IE=11" and put it right under the head tag and tried again at the top of my meta tag list in my html_header.php with no change.
-
Re: non-CAPTCHA and Honey-pots
On another note... will the hidden forms work if the slider is turned off in the admin?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
On another note... will the hidden forms work if the slider is turned off in the admin?
The hidden fields always work, the slider can be turned off or commented out...
Investigating more, the styling of the slider in IE is possible, but the the way the slider fires in IE11 is different from the others and was listed as a bug in IE11. However, MS has changed everything around so hunting for more info is a pain...
Which explains why the script is not working as expected in IE11...
The numbers displayed at the slider button is IE idea of tool tips, which we can exploit simply by changing the text to 'please slide to the number 11!' By changing the human in admin to match the test number... I chanced mine to that.
-
Re: non-CAPTCHA and Honey-pots
Well, played with that awhile but so happy no more Contact Us spam!! Love the hidden fields! Thank you again!
-
Re: non-CAPTCHA and Honey-pots
V156a and non-CAPTCHA and Honey Pots and getting Internet Explorer to play nicely.
This what I have found:
IE defaults to compatibility (quirks) mode on local intranets. The way to overcome this is to add
Code:
<meta http-equiv=”x-ua-compatible” content=”IE=edge” />
to the html header for local development and testing only. Remove it for production systems. I added this to the file \includes\templates\MY-TEMPLATE\common\html_header.php.
IE and Edge both hide the slider ball (thumb) by placing it behind the slider bar.
Attachment 18337
IE does not execute js script that it does not like. There are no warnings and no errors.
IE seems to prefer onchange to oninput for detecting the movement of the slider.
I modified the non-CAPTCHA and Honey Pots js file for the contact_us page as this is the only one I use.
Code:
<script type="text/javascript">
$(document).ready(function () {
var slideCol = document.getElementById("id1");
var y = document.getElementById("f");
y.innerHTML = slideCol.value; // Display the default slider value
slideCol.onchange = displayCol; // IE prefers onchange so call the named function
// Update the current slider value (each time you drag the slider handle)
slideCol.oninput = displayCol; // call the named function
function displayCol() { // name the function
y.innerHTML = this.value;
if (this.value == "<?php echo SPAM_TEST; ?>") {
y.innerHTML = "<?php echo SPAM_ANSWER; ?>";
}
}
});
</script>
The other browsers and Edge still will work with this.
I use the ZCA_Bootsrap template you style sheet will be different.
I created another definition for thumb for IE
Code:
.slider::-ms-thumb {
-webkit-appearance: none;
width: 25px;
height: 25px;
border-radius: 50%;
background: red;
cursor: pointer;
z-index: 900;
}
It is ugly as the bars in the slider are still visible but it works.
Thanks Dave for a great plugin.
environment Dev: WAMP 3.1.6; Zen Cart 156a; Apache 2.4.33; PHP 7.3.1; MySQL 5.7.21; Windows 10
environment Test: Zen Cart 156a; Apache 2.4.29; PHP 7.2.4; MySQL 5.7.24; Linux 4.15.0
-
Re: non-CAPTCHA and Honey-pots
V156a and non-CAPTCHA and Honey Pots and getting Internet Explorer to play nicely.
This what I have found:
IE defaults to compatibility (quirks) mode on local intranets. The way to overcome this is to add
Code:
<meta http-equiv=”x-ua-compatible” content=”IE=edge” />
to the html header for local development and testing only. Remove it for production systems. I added this to the file \includes\templates\MY-TEMPLATE\common\html_header.php.
IE and Edge both hide the slider ball (thumb) by placing it behind the slider bar.
Attachment 18337
IE does not execute js script that it does not like. There are no warnings and no errors.
IE seems to prefer onchange to oninput for detecting the movement of the slider.
I modified the non-CAPTCHA and Honey Pots js file for the contact_us page as this is the only one I use.
Code:
<script type="text/javascript">
$(document).ready(function () {
var slideCol = document.getElementById("id1");
var y = document.getElementById("f");
y.innerHTML = slideCol.value; // Display the default slider value
slideCol.onchange = displayCol; // IE prefers onchange so call the named function
// Update the current slider value (each time you drag the slider handle)
slideCol.oninput = displayCol; // call the named function
function displayCol() { // name the function
y.innerHTML = this.value;
if (this.value == "<?php echo SPAM_TEST; ?>") {
y.innerHTML = "<?php echo SPAM_ANSWER; ?>";
}
}
});
</script>
The other browsers and Edge still will work with this.
I use the ZCA_Bootsrap template your style sheet will be different.
I deleted the slider height of 1px.
I created another definition for thumb for IE
Code:
.slider::-ms-thumb {
-webkit-appearance: none;
width: 25px;
height: 25px;
border-radius: 50%;
background: red;
cursor: pointer;
z-index: 900;
}
It is ugly as the bars in the slider are still visible but it works.
Thanks Dave for a great plugin.
environment Dev: WAMP 3.1.6; Zen Cart 156a; Apache 2.4.33; PHP 7.3.1; MySQL 5.7.21; Windows 10
environment Test: Zen Cart 156a; Apache 2.4.29; PHP 7.2.4; MySQL 5.7.24; Linux 4.15.0
-
Re: non-CAPTCHA and Honey-pots
Dave
I could not find a contact slider on your web site to test. can you provide a direct link?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
OldNGrey
Dave
I could not find a contact slider on your web site to test. can you provide a direct link?
The contact us link in the menu, register form on the login page... all my form pages have it... I've not added any css for the IE bug yet... still looking at the problem.. If your not getting it to show, try changing your compatibility settings.
-
Re: non-CAPTCHA and Honey-pots
Latest news.
For those of you who never changed the default settings for the three hidden field names, the script-kiddies have apparently downloaded the mod and included the default in their bot.
Had one customer that started getting spam, discovered default settings, changed settings, spam instantly stopped.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
dbltoe
Latest news.
For those of you who never changed the default settings for the three hidden field names, the script-kiddies have apparently downloaded the mod and included the default in their bot.
Had one customer that started getting spam, discovered default settings, changed settings, spam instantly stopped.
Yap, which is why I tried to make it super simple to change them, may let the computer do it in the next version.... another thing I've been tracking bots on a slider. the bots select the default value which should never be used as the test value.
-
Re: non-CAPTCHA and Honey-pots
I appreciate the efforts to help combat this problem and it worked a treat for awhile but just doesn't work any more. I guess they have fine tuned their attacks for every possibility. Since the slider can't be used in IE we can't turn that feature on but I imagine it wouldn't last long. If I've missing something please pm me.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
I appreciate the efforts to help combat this problem and it worked a treat for awhile but just doesn't work any more. I guess they have fine tuned their attacks for every possibility. Since the slider can't be used in IE we can't turn that feature on but I imagine it wouldn't last long. If I've missing something please pm me.
Actually, the slider works with IE 10 and up! The javascript that displays the value does not due to MS idea of how HTML5 should be.. so to fix that you should use different wording like slide to the number 22 for IE does a alt tag on the slider foot displaying the current number its on... all this is editable in admin.
Don't use default field names, change them when you think bots have found there names.
-
Re: non-CAPTCHA and Honey-pots
Just keep changing the field names in admin? okay... will try that... thanks.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
Just keep changing the field names in admin? okay... will try that... thanks.
Unfortunately, 'but just doesn't work any more.' really doesn't tell me much and all I can do is play wack-a-mole at helping. I just ran 3 new hacks at my own site and still not getting past.. links lets me see how the code is used.
-
Re: non-CAPTCHA and Honey-pots
Same spam coming through even though default field names were changed. Your answer to just keep changing the field names for some reason had not occurred to me. I thought that despite the fact I had changed the default names they were discovering somehow what they were and getting past them. I deleted all the false customer registrations with 1st names beginning with http.... etc. and I have not seen any new come in since changing the field names once again.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
athena
Same spam coming through even though default field names were changed. Your answer to just keep changing the field names for some reason had not occurred to me. I thought that despite the fact I had changed the default names they were discovering somehow what they were and getting past them. I deleted all the false customer registrations with 1st names beginning with http.... etc. and I have not seen any new come in since changing the field names once again.
Interesting... another wack at the mole... if you are getting html in input fields then you have an issue that passes the basic sanitation of a default install... adding a CAPTCHA would not help..
-
Re: non-CAPTCHA and Honey-pots
just sent in an update for the forms used in zc156x
Also:
Added new in this version an auto field name reset every 10 days.. Checks after a form is sent if the field name is older then 10 days, the name is changed to a new one for you.
-
Re: non-CAPTCHA and Honey-pots
Only just started up again today. I wonder how they are figuring out the change? Thank you for working on this. I will install the new. Maybe I missed something.
-
Re: non-CAPTCHA and Honey-pots
Tried the idea of changing the default fields. Customer says no but still waiting for additional responses to my questions. Create account was his primary problem - new accounts have html in the name fields. My template. No others with this issue with my template. Definitely no hacking! I just was able to do this on the default template for 1.5.5f. The sanitizer is not removing this so this appears to be a failure of zen cart. If I'm not correct, I'll apologize but since I've never even seen this on a site before last week, I'm not how long this has been happening. It could be a fairly new phenomenon. I now have customers getting mad at me because I can't fix it. For me it's a major problem.
So far this has stopped spam on some sites permanently without me having to do anything else. Since they can download the mod and figure this out with the settings, I'm wondering if we can't create auto generated settings from the start so that they can't figure it out and require folks to change the default settings or not change the fields automagically. Unless your auto settings completely cure the problem, I guess it doesn't matter. I'm simply not enough of coder to tackle any of this. Never have had to work on this kind of issue in all my years of zen cart work. Dang bots.
By the way I have hidden all the presently visible fields. No need for any of this to show as far as I'm concerned. I also had a site that had an old slider installed that conflicted with the rest of the css. I prefer solutions without javascript or jquery. I do write or find current jquery and almost never use the mods in the plugin sections because of the possibility of conflicts.
If I can help in anyway I will.
Thread working on this issue of html https://www.zen-cart.com/showthread....omer-creation/
-
Re: non-CAPTCHA and Honey-pots
reset around midnight and had dozens by noon today:frusty:
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
delia
By the way I have hidden all the presently visible fields. No need for any of this to show as far as I'm concerned. I also had a site that had an old slider installed that conflicted with the rest of the css. I prefer solutions without javascript or jquery. I do write or find current jquery and almost never use the mods in the plugin sections because of the possibility of conflicts.
If I can help in anyway I will.
Thread working on this issue of html
https://www.zen-cart.com/showthread....omer-creation/
I've not read that post, but answered on two others.
Templates don't normally modify the account creation page except to style it. I do modify my site so I run attacks on it, fixed forms that failed before going live. The files uploaded on my map request page can trigger virus scanners because they are script.
My honey pots look the same as any other form input fields, require is always active for main fields, and I use pattern matching for allot of fields preventing html input.. Which is grate for making it user friendly, but all of it can be bypassed...
If I can see the site in question, I can tell more, if I had access to the raw code I can see more... I just fixed an issue with my admin caused by my ftp program adding the wrong permission to a file. Something that simple was making the admin reset after login... PM a link or file if you don't want to post it..
-
Re: non-CAPTCHA and Honey-pots
Question? Is it html in the name fields or is it text that might resemble html?
I see name fields like www.mrspammer . ru www.mrspammer.ru done but considered it as text entries that look like html
non-CAPTCHA has been working 100% for us in the contact-us arena with our zencart 1.5.4 store. non-CAPTCHA doesn't play nice with 1.5.4 create_account nor IE or EDGE browsers but since it is not advertised to work with 1.5.4, I accept that it doesn't function there and live with the spam account creations. So far, every spam account creation that I've seen also has the company name entry of google Maybe the company name can be a filter useful to intercept the bogus accounts? At least until they figure that out too.
-
Re: non-CAPTCHA and Honey-pots
it is actual html but it's really screwy stuff like http://v.ht/bcudae as the first name. I'm sure that I looked at the actual accounts before I deleted over 500 of them, but the ones now being created no longer are not showing anything beyond country in the account profile since I installed this. So it did change ?
The fix of adding this line to the create account page does seem to work since it just kills off the process.
PHP Code:
if (strpos($firstname, "http") !== false || strpos($lastname, "http") !== false) { die(); }
after
PHP Code:
$lastname = zen_db_prepare_input(zen_sanitize_string($_POST['lastname']));
-
Re: non-CAPTCHA and Honey-pots
davewest's latest v0.4 update to the zenNonCaptcha mod has been reviewed and approved.
NOTE: I made a bunch of tweaks to it myself, including making it affect fewer files than previous. Watch for files that are no longer in the mod (but were before), and put them back to original using your backups. Installation is way easier now for new sites.
zenNonCAPTCHA
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
delia
it is actual html but it's really screwy stuff like http://v.ht/bcudae as the first name.
Strictly speaking, that's not HTML. It's text containing a URL. The HTML version of it would be something like:
Code:
<a href="http://v.ht.stuff">otherstuff</a>
trapping for both of those cases is entirely different for each, as you've seen. Your approach is fine, although the die() will alert them that something's gone wrong instead of just blindly ignoring it and letting them think it submitted fine so they can move on to some other site to spam.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
RixStix
Question? Is it html in the name fields or is it text that might resemble html?.
For me, I can not even test a link.. dots are blocked in my patterns.. I'll have to play with some of my tools when I get time..
@DrByte
Nice Doc.. will have to add your edits.. thanks
thoughts.. I use strip_tags on some fields as
Code:
zen_db_prepare_input(strip_tags($_POST['field_name']));
never had a need to use it on standard forms
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
dbltoe
reset around midnight and had dozens by noon today:frusty:
My apologies to Dave and the group. I had thrown a copy of one of our sites on to a test server to troubleshoot and never took it down.:blush:
Not until I got an e-mail saying "Hey, yoursite.com!" (not the site's name) did I realize the spam was coming from the wrong copy of a site. Since both were on the same server, just looking at the header gave no clue.
I just knew it had to be something as this mod was working fine on other sites.
Moral of the story? Make sure you know where the UCEs are really coming from.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
DrByte
Strictly speaking, that's not HTML. It's text containing a URL. The HTML version of it would be something like:
Code:
<a href="http://v.ht.stuff">otherstuff</a>
trapping for both of those cases is entirely different for each, as you've seen. Your approach is fine, although the die() will alert them that something's gone wrong instead of just blindly ignoring it and letting them think it submitted fine so they can move on to some other site to spam.
Okay, so you are saying they will keep trying? If the bot can't do what it wants to and knows it doesn't work, what options does the spammer/developer have? I'm no php guru but I don't see how they can overcome that. Of course it's not a great solution. I didn't write it. I'm only using it. So do you have an alternate solution?
The only mods included in this template is the COWOA. There's no other core file changes. And COWOA does not alter the create account scripting, just adds a bit. I am using the Diva's github version. Haven't looked at Dave's.
DrByte, I appreciate your attention to this! I have to make a tiny complaint though. A change log would be massively helpful.
-
Re: non-CAPTCHA and Honey-pots
One more question about the new version of the mod. It's still says it works for both 1.5.5 and 1.5.6 but the package only has a folder for 1.5.6. Is this still supposed to work for 1.5.5?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
delia
One more question about the new version of the mod. It's still says it works for both 1.5.5 and 1.5.6 but the package only has a folder for 1.5.6. Is this still supposed to work for 1.5.5?
Drag and drop for 1.5.6b... compare for 1.5.5 works... I had the code based on php7+, but DrByte fixed that with his edits. I've not had time to test on a 1.5.5 version yet..
-
Re: non-CAPTCHA and Honey-pots
Thanks for working on this, DrByte.
-
Re: non-CAPTCHA and Honey-pots
Here's a simple patch to ignore http URLs in customer names:
https://github.com/zencart/zencart/pull/2436
It does similar to what Delia posted, just in a different way to catch https as well.
-
Re: non-CAPTCHA and Honey-pots
Sent an update in...
Added a function to catch url's in most common fields that I could add url's to, detects, and resets to the success page. For me, this forced a session reset due to the hack I used.
Unfortunately, I was in a rush editing, testing, packaging so the first update I sent in had a reference to my registration success page, I just sent a corrected update to replace it with the correct reference page as
Code:
zen_redirect(zen_href_link(FILENAME_CREATE_ACCOUNT_SUCCESS, '', 'SSL'));
-
Re: non-CAPTCHA and Honey-pots
BTW, Incredibly clever mod, Dave. Thank you for contributing this.
-
Re: non-CAPTCHA and Honey-pots
One very small suggestion would be to enhance the wording on the Slider Question Text setting. Perhaps something like "Please move the slider until you see the word 'Human'. This helps us combat spam."
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
swguy
One very small suggestion would be to enhance the wording on the Slider Question Text setting. Perhaps something like "Please move the slider until you see the word 'Human'. This helps us combat spam."
I use 'Please slide to the number 21!' on my site, but ether way, I haven't tried a text reader on it yet... comes as default, but easy to change.
One thing I've also been tracking, bots tend to pick the default value in the input field first. The default value is used to position the slider at startup. This value '25' should not be used as your test number. I used a max of 50, however larger numbers can be used, but the higher the number the harder it is to use your finger on a phone!
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
One thing I've also been tracking, bots tend to pick the default value in the input field first. The default value is used to position the slider at startup. This value '25' should not be used as your test number.
If you're accepting PRs, I'd like to submit a change to generate these values randomly rather than use static strings and numbers.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
swguy
If you're accepting PRs, I'd like to submit a change to generate these values randomly rather than use static strings and numbers.
I have some corrections to do before I upload to github, once I do I'll open it for PR's and post back here.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
I have some corrections to do before I upload to github, once I do I'll open it for PR's and post back here.
After adding some suggested edits and increasing the regex line to include some other common strings, its back up on github here..
I have a feeling the regex string may not work below php7x, if you have issues, let me know.. Regex line was created using a regex editor, then tested in a debugger until I got it working the way I wanted.
looking for
-
Re: non-CAPTCHA and Honey-pots
This is a great script! Thank you. I have one issue tho.. I only need the slider on the contact form as I'm getting tons of contact form spam. No spam registrations, etc.
So I uploaded:
/admin/includes/functions/extra_functions/init_noncaptcha.php
/includes/classes/observers/auto.non_captcha_observer.php
/includes/templates/responsive_classic/css/stylesheet_noncaptcha.css
/includes/templates/responsive_classic/templates/tpl_contact_us_default.php
/includes/modules/pages/contact_us/jscript_nonCaptcha.php
And in auto.non_captcha_observer.php I edited this:
PHP Code:
public function __construct()
{
$this->attach($this, [
'NOTIFY_NONCAPTCHA_CHECK',
'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK', <-- I REMOVED THIS LINE.
'NOTIFY_CONTACT_US_CAPTCHA_CHECK',
'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK', <-- AND I REMOVED THIS LINE.
]);
}
Does that sound good? Any other suggestions?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
ChrisLane
This is a great script! Thank you. I have one issue tho.. I only need the slider on the contact form as I'm getting tons of contact form spam. No spam registrations, etc.
So I uploaded:
/admin/includes/functions/extra_functions/init_noncaptcha.php
/includes/classes/observers/auto.non_captcha_observer.php
/includes/templates/responsive_classic/css/stylesheet_noncaptcha.css
/includes/templates/responsive_classic/templates/tpl_contact_us_default.php
/includes/modules/pages/contact_us/jscript_nonCaptcha.php
And in auto.non_captcha_observer.php I edited this:
PHP Code:
public function __construct()
{
$this->attach($this, [
'NOTIFY_NONCAPTCHA_CHECK',
'NOTIFY_CREATE_ACCOUNT_CAPTCHA_CHECK', <-- I REMOVED THIS LINE.
'NOTIFY_CONTACT_US_CAPTCHA_CHECK',
'NOTIFY_REVIEWS_WRITE_CAPTCHA_CHECK', <-- AND I REMOVED THIS LINE.
]);
}
Does that sound good? Any other suggestions?
Not really a good idea.. turns off all test by removing those lines.
To turn off slider for all, theirs a switch for that, to turn off just some of them.. comment out the slider test line and the code chunk in the template file. This well keep the other fields actively working for you.
Commenting out lines makes it easy to reactivate things later on.
includes/classes/observers/auto.non_captcha_observer.php
comment out
Code:
$this->testSliderFields('create_account');
includes/templates/responsive_classic/templates/tpl_modules_create_account.php
Code:
<?php if (SPAM_USE_SLIDER == 'true') { ?>
<div class="slidecontainer">
<p><?php echo HUMAN_TEXT_DISPLAYED; ?></p>
<?php echo zen_draw_input_field(SPAM_TEST_IQ, '', ' min="0" max="50" value="25" class="slider" id="id1"', 'range'); ?>
<br /><br />
<span>Value:</span> <span id="f" style="font-weight:bold;color:red"></span>
</div>
<script>
$(document).ready(function () {
var slideCol = document.getElementById("id1");
var y = document.getElementById("f");
y.innerHTML = slideCol.value; // Display the default slider value
// Update the current slider value (each time you drag the slider handle)
slideCol.oninput = function() {
y.innerHTML = this.value;
if (this.value == "<?php echo SPAM_TEST; ?>") {
y.innerHTML = "<?php echo SPAM_ANSWER; ?>";
}
}
});
//--></script>
<?php } ?>
-
Re: non-CAPTCHA and Honey-pots
Dave, if you could put this mod on Github there are a few ideas I'd like to submit as PRs.
-
Re: non-CAPTCHA and Honey-pots
-
Re: non-CAPTCHA and Honey-pots
Let me know if you have problems with PR's, still learning in's and outs of github...
FYI.. with my site version I placed code to do logs when and where the honey pot is triggered. As such, the regex string is catching URL and email addresses in fields where they shouldn't be. Which is killing bots before the other fields are checked.. :smile:
-
Re: non-CAPTCHA and Honey-pots
Please let me know (by PM) the tells you're seeing. I'm collecting hints to add to a spam filter contribution to augment what zenNonCAPTCHA does.
-
Re: non-CAPTCHA and Honey-pots
http://myembroideryhaven.com
v156a, php 7.1.32
Column layout grid
Langage Currency Links in Headers
Edit_orders 4.3.5
Canada Post shipping module
Flexible footer Menu
Simplified Social Share
Ip blocker
Ultimate SEO Urls
Newsletter Subscribe
Reward Point Full Suite
Recover Sales Cart
1st question: would my version of php cause issues with this mod?
2nd question: Dave are you using a mod for newsletter?
I'm asking these questions because i'm having a hard time making the mod work on my site and I really need it to work on my website with a mod for newsletter only subscriber. I saw Dr Byte's post referring to adding older files that are no longer in zc, however, I saw a "newsletteronly" class on your tpl_subscribe_default.php and thought maybe it would work if I used the same newsletteronly mod. Right now when I go live with zenNon-Captcha, I get the not a human yet message when creating an account and emails don't get added to the list for the newsletter subscription.
-
Re: non-CAPTCHA and Honey-pots
I should also add that at this moment, if I try to join the newsletter, it doesn't work but the spammer are still able to get in. Not sure what it means.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
http://myembroideryhaven.com
v156a, php 7.1.32
Column layout grid
Langage Currency Links in Headers
Edit_orders 4.3.5
Canada Post shipping module
Flexible footer Menu
Simplified Social Share
Ip blocker
Ultimate SEO Urls
Newsletter Subscribe
Reward Point Full Suite
Recover Sales Cart
1st question: would my version of php cause issues with this mod?
2nd question: Dave are you using a mod for newsletter?
I'm asking these questions because i'm having a hard time making the mod work on my site and I really need it to work on my website with a mod for newsletter only subscriber. I saw Dr Byte's post referring to adding older files that are no longer in zc, however, I saw a "newsletteronly" class on your tpl_subscribe_default.php and thought maybe it would work if I used the same newsletteronly mod. Right now when I go live with zenNon-Captcha, I get the not a human yet message when creating an account and emails don't get added to the list for the newsletter subscription.
1st question:) This mod is not php dependent and I have it running on ZC1.5.6b and php7.3.7
2nd question:) I started with the newsletter only mod but modified it. I don't use the slider on it, just the hidden fields..
If your template modified the header_php.php file by removing or changing the notifiers, then the checks would fail. You also have the slider saying 19, but the script is saying human! check your setting in admin that all says the same thing..
Quote:
Originally Posted by
mariemeh
I should also add that at this moment, if I try to join the newsletter, it doesn't work but the spammer are still able to get in. Not sure what it means.
I just had a look at the existing mod, there is no usable notifiers in the header and not a match for what I'm using. I'll have to work on a fix.. which is why its not working for you.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
1st question:) This mod is not php dependent and I have it running on ZC1.5.6b and php7.3.7
2nd question:) I started with the newsletter only mod but modified it. I don't use the slider on it, just the hidden fields..
If your template modified the header_php.php file by removing or changing the notifiers, then the checks would fail. You also have the slider saying 19, but the script is saying human! check your setting in admin that all says the same thing..
I just had a look at the existing mod, there is no usable notifiers in the header and not a match for what I'm using. I'll have to work on a fix.. which is why its not working for you.
would it help if I post a copy of my header file and if so, which one? and about the 19 and human thing, I purposely did it that way. I want to see how people react to it. I plan on trying different things and see what works best for my site. The majority of my customers are not comfortable with ordering online and such. So time will tell me which is the best thing to do.
And in the meantime, can I just revert to my old tpl_subscribe_default.php without it affecting the other pages?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
would it help if I post a copy of my header file and if so, which one? and about the 19 and human thing, I purposely did it that way. I want to see how people react to it. I plan on trying different things and see what works best for my site. The majority of my customers are not comfortable with ordering online and such. So time will tell me which is the best thing to do.
And in the meantime, can I just revert to my old tpl_subscribe_default.php without it affecting the other pages?
I don't need the header...
19 vs human... its never correct and confusing to users... not good..
as not comfortable on ordering, when I check your login page I was hit with tracking and third party cookies, also no SSL installed!
changing back the subscribe page would not affect any others.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
I don't need the header...
19 vs human... its never correct and confusing to users... not good..
as not comfortable on ordering, when I check your login page I was hit with tracking and third party cookies, also no SSL installed!
changing back the subscribe page would not affect any others.
tracking and third party cookies?? how can I see that? And the no ssl installed, I am confused and pretty much clueless. I thought it was all installed since the https was there.
-
Re: non-CAPTCHA and Honey-pots
ok found what you meant for the SSL and what I hadn't done properly and fixed it so thank you. and the 19 as well :)
so for now, no way for me to stop being spammed on the newsletter?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
ok found what you meant for the SSL and what I hadn't done properly and fixed it so thank you. and the 19 as well :)
so for now, no way for me to stop being spammed on the newsletter?
Sorry, but you're losing me. Newsletter has only email input field so the stock ZC does a nice job filtering, which is why that field was not used. The code I use has a different header file for newsletter subscribers due to both subscribe and unsubscribe are within the same form, but it would not allow anything but email addresses too..
What type of spam are you getting?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
Sorry, but you're losing me. Newsletter has only email input field so the stock ZC does a nice job filtering, which is why that field was not used. The code I use has a different header file for newsletter subscribers due to both subscribe and unsubscribe are within the same form, but it would not allow anything but email addresses too..
What type of spam are you getting?
fake email addresses... hundreds a week. Some are obvious but others look legit, others are legit but never wanted to join my website but their email addresses were used... I find out weeks and months later and sooner or later I get blacklisted with some providers and have to contact them. It's not the end of the world but it is time consuming.
if it is something I'm doing or not doing, well let me learn :shocking:
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
fake email addresses... hundreds a week. Some are obvious but others look legit, others are legit but never wanted to join my website but their email addresses were used... I find out weeks and months later and sooner or later I get blacklisted with some providers and have to contact them. It's not the end of the world but it is time consuming.
if it is something I'm doing or not doing, well let me learn :shocking:
I would say to use a regex string to force correct typing of email addresses, but that would only stop some, if they are truly using your form. The only good answer is to turn off non-account newsletter subscription service. Force them to use the create account system where you have more control with non-CAPTCHA.. Bots are programmable, but they have a hard time not filling in all the boxes..
Theirs no mods to verify email addresses as existing in ZC.. There are ways of doing this if you want to create the class.. basically using SMPT to get the MX records for the domain.. https://www.codexworld.com/verify-em...ts-domain-php/
The other methods I know of (text to verify) cost dollars to use..
You should ask on the newsletter subscription mod page, think they got reCAPTCHA to work...
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
I would say to use a regex string to force correct typing of email addresses, but that would only stop some, if they are truly using your form. The only good answer is to turn off non-account newsletter subscription service. Force them to use the create account system where you have more control with non-CAPTCHA.. Bots are programmable, but they have a hard time not filling in all the boxes..
Theirs no mods to verify email addresses as existing in ZC.. There are ways of doing this if you want to create the class.. basically using SMPT to get the MX records for the domain..
https://www.codexworld.com/verify-em...ts-domain-php/
The other methods I know of (text to verify) cost dollars to use..
You should ask on the newsletter subscription mod page, think they got reCAPTCHA to work...
Thanks I will go try that.
-
Re: non-CAPTCHA and Honey-pots
Another thing to consider is that systems like MailChimp give you double opt in, so you don't wind up sending emails to people who didn't ask for them.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
swguy
Another thing to consider is that systems like MailChimp give you double opt in, so you don't wind up sending emails to people who didn't ask for them.
sorry first language french... but what I'm understanding double opt in to mean avoiding the same email twice but the Newsletter-Subscribe modification was already doing that. Is that what you meant?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
I would say to use a regex string to force correct typing of email addresses, but that would only stop some, if they are truly using your form. The only good answer is to turn off non-account newsletter subscription service. Force them to use the create account system where you have more control with non-CAPTCHA.. Bots are programmable, but they have a hard time not filling in all the boxes..
Theirs no mods to verify email addresses as existing in ZC.. There are ways of doing this if you want to create the class.. basically using SMPT to get the MX records for the domain..
https://www.codexworld.com/verify-em...ts-domain-php/
The other methods I know of (text to verify) cost dollars to use..
You should ask on the newsletter subscription mod page, think they got reCAPTCHA to work...
don't know enough about coding anything so regex I don't know. but from reading your thread and other comments I have seen on the Newsletter Only mod, I am not the only one with this situation so I tried this... please tell me if you can where I goofed..
in the Newsletter-Subscribe or Newsletter-Only mod has 4 files that had to do with the tpl_subscribe_default:
store/includes/templates/responsive_classic/templates/tpl_subscribe.php
store/includes/templates/responsive_classic/templates/tpl_subscribe_confirm_default.php
store/includes/templates/responsive_classic/templates/tpl_subscribe_default.php
store/includes/templates/responsive_classic/templates/tpl_subscribe_header.php
I found code similar to the one in your tpl_subscribe_default.php in the tpl_subscribe_header.php file and tried this:
original code:
Quote:
<?php
/**
* Side Box Template
*
* @package templateSystem
* @copyright Copyright 2003-2006 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license
http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: tpl_subscribe.php,v 1.1 2006/06/16 01:46:16 Owner Exp $
*/
$content = '';
$content .= zen_draw_form('subscribe', zen_href_link(FILENAME_SUBSCRIBE, '', 'SSL'), 'post', '');
$content .= zen_draw_hidden_field('act', 'subscribe');
$content .= zen_draw_hidden_field('main_page',FILENAME_SUBSCRIBE);
$content .= (empty($subscribe_text) ? '' : $subscribe_text);
$content .= '<label>' . zen_draw_input_field('email', '', 'size="18" maxlength="90" style="width: ' .
($column_width-30) . 'px" value="' . HEADER_SUBSCRIBE_DEFAULT_TEXT .
'" onfocus="if (this.value == \'' . HEADER_SUBSCRIBE_DEFAULT_TEXT . '\') this.value = \'\';"');
$content .= '</label>';
if(EMAIL_USE_HTML == 'true') {
$content .= ' <br /> <label>' . zen_draw_radio_field('email_format', 'HTML', true) . ENTRY_EMAIL_HTML_DISPLAY . '</label>';
$content .= ' <label style="white-space:nowrap">' . zen_draw_radio_field('email_format', 'TEXT', false) . ENTRY_EMAIL_TEXT_DISPLAY . '</label>';
}
$content .= ' <br />' . zen_image_submit (BUTTON_IMAGE_SUBSCRIBE,HEADER_SUBSCRIBE_BUTTON, 'value="' . HEADER_SUBSCRIBE_BUTTON . '" ');
$content .= '</form>';
?>
changed to:
Quote:
<?php
/**
* Side Box Template
*
* @package templateSystem
* @copyright Copyright 2003-2006 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license
http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
* @version $Id: tpl_subscribe_header.php,v 1.1 2006/06/16 01:46:16 Owner Exp $
*
* MEH MOD TO HAVE zenNonCAPTCHA
*/
$content = '';
$content .= zen_draw_form('subscribe', zen_href_link(FILENAME_SUBSCRIBE, '', 'SSL'), 'post', '');
$content .= zen_draw_hidden_field('act', 'subscribe');
$content .= zen_draw_hidden_field('main_page',FILENAME_SUBSCRIBE);
$content .= (empty($subscribe_text) ? '' : $subscribe_text);
$content .= '<label>' . zen_draw_input_field('email', '', 'size="18" maxlength="90" value="' . HEADER_SUBSCRIBE_DEFAULT_TEXT .
'" onfocus="if (this.value == \'' . HEADER_SUBSCRIBE_DEFAULT_TEXT . '\') this.value = \'\';"');
$content .= '</label>';
if(EMAIL_USE_HTML == 'true') {
$content .= '<label>' . zen_draw_radio_field('email_format', 'HTML', true) . ENTRY_EMAIL_HTML_DISPLAY . '</label>';
$content .= '<label>' . zen_draw_radio_field('email_format', 'TEXT', false) . ENTRY_EMAIL_TEXT_DISPLAY . '</label>';
}
/* bof MEH MOD to have zenNonCAPTCHA */
/*
$content .= zen_image_submit (BUTTON_IMAGE_SUBSCRIBE,HEADER_SUBSCRIBE_BUTTON, 'value="' . HEADER_SUBSCRIBE_BUTTON . '" ');
*/
$content .= ' <br /><div class="buttonRow forward">' . zen_image_submit (BUTTON_IMAGE_SUBSCRIBE,HEADER_SUBSCRIBE_BUTTON, 'value="' . HEADER_SUBSCRIBE_BUTTON . '" ') . '</div>';
$content .= ' <br /><div class="email-pot"><label for="email-us"></label>' . zen_draw_input_field(SPAM_TEST_TEXT, '', ' id="email-us" title="do not fill in!" placeholder="do not fill in!" autocomplete="off"', 'email') . '</div>';
$content .= ' <div class="email-pot"><p>' . HUMAN_TEXT_NOT_DISPLAYED. '</p>' . zen_draw_radio_field(SPAM_TEST_USER, 'H1', '', 'id="user-1"') . '<span class="input-group-addon"><i class="fa fa-male fa-2x"></i></span>' . zen_draw_radio_field(SPAM_TEST_USER, 'C2', '', 'id="user-2"') . '<span class="input-group-addon"><i class="fa fa-laptop fa-2x"></i></span></div>';
if (SPAM_USE_SLIDER == 'true') {
$content .= '<div class="slidecontainer"><p>' . HUMAN_TEXT_DISPLAYED .'</p>' . zen_draw_input_field(SPAM_TEST_IQ, '', ' min="0" max="50" value="25" class="slider" id="id1"', 'range') . '<br /><br /><span>Value:</span> <span id="f" style="font-weight:bold;color:red"></span> </div>';
}
/* eof MEH MOD to have zenNonCAPTCHA */
$content .= '</form>';
?>
I need to know if anything is not ok for that file. The slider shows and email addresses get added to my subscriber list. However, if the slider isn't set to the chosen value, 19 in my case, the email still gets added so I'm guessing that I either did something wrong to the file or I need to go modify something else to let your zenNonCAPTCHA CAPTCHA to look at the tpl_subscribe_header.php instead of the tpl_subscribe_default.php?
Thanks
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
sorry first language french... but what I'm understanding double opt in to mean avoiding the same email twice but the Newsletter-Subscribe modification was already doing that. Is that what you meant?
Getting off track here... I'm not a fan of pay-for-spamming services but they are good at getting black listed instead of you.. I had to block them and constant contact ip's for spamming..
Double opt in is a pain at times for user, its a easy process to code. but needs a texting service which is not free.
The process can lead in a couple of methods, but something like this..
user inputs email and phone numbers, hit submit...
next page has a input field for a code which was texted to the customer phone..
the customer inters the code hits submit, nothing submitted, wrong code or the page is closed.. end of process.
If right code entered... then we have a live one and..
The email is sent asking to get verified to complete the sign up process and acts as proof of permission along with privacy..
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
davewest
Sorry, but you're losing me. Newsletter has only email input field so the stock ZC does a nice job filtering, which is why that field was not used. The code I use has a different header file for newsletter subscribers due to both subscribe and unsubscribe are within the same form, but it would not allow anything but email addresses too..
What type of spam are you getting?
Thought I would confirm that you were right all along. ZC does a nice job filtering. It was all my fault. I didn't think of the link I had put on my index.html page and that's how they were getting in. As soon as I removed that, it stopped. Sorry for the confusion.
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
mariemeh
Thought I would confirm that you were right all along. ZC does a nice job filtering. It was all my fault. I didn't think of the link I had put on my index.html page and that's how they were getting in. As soon as I removed that, it stopped. Sorry for the confusion.
Thanks for the update..
-
Re: non-CAPTCHA and Honey-pots
Hi Dave,
I had installed this plugin and then with the advent of Lat9's Access Blocker I decided to remove it BUT I am still getting the "please prove you are not a robot! message after clicking the register button - I have run the uninstall sql and the uninstall code you placed in this thread but to no avail.
Now my customers cannot create an account - any thoughts on what I should do to resolve this?
cheers, Mike
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
shags38
Hi Dave,
I had installed this plugin and then with the advent of Lat9's Access Blocker I decided to remove it BUT I am still getting the "please prove you are not a robot! message after clicking the register button - I have run the uninstall sql and the uninstall code you placed in this thread but to no avail.
Now my customers cannot create an account - any thoughts on what I should do to resolve this?
cheers, Mike
Dave,
please IGNORE my previous post - I need to apologize .... it was the Google ReCaptcha 7 that was the problem.
cheers,
Mike
-
Re: non-CAPTCHA and Honey-pots
I am sure it is probably mentioned somewhere in this thread though I have as of yet to find it.
How do you go about changing the slider so that it shows Human on another value other than the default of 10?
What if I wanted to go in monthly and change it to a different test value How would I go about doing this or could I somehow create it so that it randomly changes to a new value monthly?
-
Re: non-CAPTCHA and Honey-pots
Quote:
Originally Posted by
drm1963
I am sure it is probably mentioned somewhere in this thread though I have as of yet to find it.
How do you go about changing the slider so that it shows Human on another value other than the default of 10?
What if I wanted to go in monthly and change it to a different test value How would I go about doing this or could I somehow create it so that it randomly changes to a new value monthly?
In Configuration>Layout Settings
Are all the settings for this mod. Change your answer, change the numbers, the number set is not displayed. The display answer is for the script response to the slider moving which works in all but IE.
Randomly changing the number is not done... If you have a range say 1 - 50, bots are guessing 50, 1, and 25 which you should not use as the answers. not sure if posted that here or my blog.. The range of numbers is not set in stone and can be changed in code from 1 to 256... only issue is fingers on phones can't slid that far.
