Fake Phantom Spam Customers? CAPTCHA No Help

[bamboohq]

We just rolled live on a custom cart for which we spent 3 months migrating and customizing the front end. Front end. No customizations to the Admin except as below (CAPTCHA). Now that we are live we are receiving what we think is customer spam. Every day we receive many "new customers" sometimes hundreds with legitimate sounding names but with the caveat that the records are deficient in such a way that we can see the following PHP errors in admin/customers.php:

Code:

Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /var/www/html/admin/customers.php on line 1099
Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /var/www/html/admin/customers.php on line 1101
Warning: reset() [function.reset]: Passed variable is not an array or object in /var/www/html/admin/includes/classes/object_info.php on line 29
Warning: Variable passed to each() is not an array or object in /var/www/html/admin/includes/classes/object_info.php on line 30

Real customers (our testing) show up fine, and do not throw these dependency errors.

Here is an odd thing: Going to the database, we see that looking at all the tables mentioned in select statements in /admin/customers.php: customers, email_archive (yes, turned on), address_book, customers_info, coupon_gv_customer, reviews (turned off), group_pricing and zones, we see no reference to the names that appear in our "New Customers" list in Admin Home. Clicking these generates the errors. If we sign up nicely in a test, we see the information show up fine in the first 3 tables.

I have checked the FAQs and searched the terms related to "customer spam" "fake customers" and related terms. Search results are nil.

I chose Business Issues > Fraud Prevention, hopefully correctly, please re-route if incorrect.

Using Zen Cart 1.3.8a at Westhost; Linux, Apache 2, PHP: 5.2.92 MySQL 5.0.67. It was a default installation. Because of deep customizations, we have refused upgrades.

CAPTCHA: We first installed this: http://www.zen-cart.com/forum/showthread.php?t=42780 But that didn't seem to work very well for us, so we tried our best to uninstall.

Then we installed this: http://www.zen-cart.com/index.php?ma...oducts_id=1306

And it seems to be functioning fine for New Account Registrations. This does not touch the Contact Us form. Smoother installation if I may say so.

We are sifting through a bunch of noise to collect our real orders. Advice? Thanks much.

[DrByte]

You have entry_country_id data in the address_book table for those customers' records. That's almost always caused by importing customer data using some sort of broken tool to load the data. Or you've manually altered data or data structure in the database and broken something in the process. Or deleted countries from the countries table without ensuring that those country values weren't already in use. Or deleted and re-added country records not realizing that doing that assigns new numbers and throws things out of sync, resulting in symptoms similar to what you quoted.

[bamboohq]

Just why exactly removing countries from display would be critically important to displaying which customers were new today is Object Oriented Genius beyond my simple country doctor understanding of such matters.

Just another nail in the coffin of Zen Cart for this small-time web developer. Seriously looking at paid software. The bloom is off the rose and the worm has turned: open source has gone amok and professionally maintained software is once again the future.

Thanks much for your reply in any case. I hope this helps somebody else whose boss told them: get rid of those countries on that silly pulldown list....we ship only to continental US, not Albania or Andorra.

[DrByte]

Object Oriented Genius beyond my simple country doctor understanding of such matters.

Sorry, it has nothing to do with Object Oriented anything.
You can thank the authors of osCommerce for that design decision.
It's slated for revamp as one of several inherited things that we know need reworking.

Seriously looking at paid software.

As you wish. Glad you had fun with your foray into other avenues.

I hope this helps somebody else whose boss told them: get rid of those countries on that silly pulldown list....we ship only to continental US, not Albania or Andorra.

Deleting the likes of Albania or Andorra from the list of countries wouldn't affect things the way you described above.
But deleting everything en masse and then manually adding new country records would ... since "new" records get new internal numbers, and it's those internal numbers that your old customer records would be pointing to.

It's fixable, but since you've already decided to convert to something else, I won't bother with the trouble.

[bamboohq]

I should also point out that no tool was used for importation. Rolling back to original countries table changed nothing; the entry_country_id field always agreed: 223 == United States.

Bogus errors still present.

Lastly: It was noticed that these "new customers" are actual former customer IDs that show up in the Customers > Customers listings. But the Account Created date is new, and no data is reflected there.

[bamboohq]

Please pardon my rant against OOP. I have a thing about deliberately obscure software. It is like a secret club where everybody tries to outdo each others' cleverness and all it does is result in a giant mess and low productivity. Zen is a victim of contributors who think like this.

[bamboohq]

Right. So more research has revealed that while country information is not at issue, agreement between customers and address_book tables IDs are at issue. Fix0r:

Code:

UPDATE customers c, address_book b SET c.customers_default_address_id = b.address_book_id WHERE c.customers_id = b.customers_id

Fixed the breakages with the PHP error messages.

New/same problem: The sort order of the "new customers" in Admin Home is seemingly reporting the date as today. That is, they all say (for today) 8-31-2009. But they haven't been touched in months. So then the question gets more silly: why is it that when I go to Customers > Customers and perhaps search "Johnson", then click Admin Home, all of my "new customers" are all suddenly named Johnson and they became "new" on 8-31-2009? Then if I go back to Customers > Customers and see them all, then Admin Home, we are back to most recent on top? Quirky buggy time sink. I would rather Twitter.

[DrByte]

Well, yes, a mismatch between all your address book entries vs customer entries would certainly cause a similar set of symptoms. That's way more serious than altered records in the countries table.

I would suggest backtracking to find the point in time when that relationship worked correctly and then figure out what you did to break it. And probably restore the good data and rebuild from there.

[bamboohq]

HERE IS THE AHA! MOMENT you have been waiting for: Simply VIEWING the customer record in Edit mode or Customers > Customers is enough to generate an essentially blank record for the customer in the table customers_info, which applies the datetime stamp at that moment.

Here is the insertion dump of the table which I truncated before discovered this:

Code:

INSERT INTO `customers_info` (`customers_info_id`, `customers_info_date_of_last_logon`, `customers_info_number_of_logons`, `customers_info_date_account_created`, `customers_info_date_account_last_modified`, `global_product_notifications`) VALUES
(682, NULL, 0, '2009-08-31 22:37:40', NULL, 0),
(327, NULL, 0, '2009-08-31 22:37:40', NULL, 0),
(550, NULL, 0, '2009-08-31 22:37:40', NULL, 0),
(1095, NULL, 0, '2009-08-31 22:37:40', NULL, 0),
(1863, NULL, 0, '2009-08-31 22:37:40', NULL, 0);

Each of those null entries happened as a result of simply browsing Customers > Customers.

Let me repeat clearly what I am asserting: /admin/customers.php receives a cold call. /admin/customers.php inserts records into the table customers_info that correspond the viewed pages of customers. Pretty wild huh?

These customers are in no way "new." This is a dramatic flaw.

[bamboohq]

Keeping the database in sync...wow.

Code:

// Lines 1085-1091 in my /admin/customers.php
// What follows is Zen code

// if no record found, create one to keep database in sync
      if (!isset($info->fields) || !is_array($info->fields)) {
        $insert_sql = "insert into " . TABLE_CUSTOMERS_INFO . " (customers_info_id, customers_info_number_of_logons, customers_info_date_account_created)
                       values ('" . (int)$customers->fields['customers_id'] . "', '0', now())";
        $db->Execute($insert_sql);
        $info = $db->Execute($sql);
      }

In sync? In sync with what?