non-CAPTCHA and Honey-pots

[dbltoe]

reset around midnight and had dozens by noon today

My apologies to Dave and the group. I had thrown a copy of one of our sites on to a test server to troubleshoot and never took it down.

Not until I got an e-mail saying "Hey, yoursite.com!" (not the site's name) did I realize the spam was coming from the wrong copy of a site. Since both were on the same server, just looking at the header gave no clue.

I just knew it had to be something as this mod was working fine on other sites.


Moral of the story? Make sure you know where the UCEs are really coming from.

[delia]

Strictly speaking, that's not HTML. It's text containing a URL. The HTML version of it would be something like:

Code:

<a href="http://v.ht.stuff">otherstuff</a>

trapping for both of those cases is entirely different for each, as you've seen. Your approach is fine, although the die() will alert them that something's gone wrong instead of just blindly ignoring it and letting them think it submitted fine so they can move on to some other site to spam.

Okay, so you are saying they will keep trying? If the bot can't do what it wants to and knows it doesn't work, what options does the spammer/developer have? I'm no php guru but I don't see how they can overcome that. Of course it's not a great solution. I didn't write it. I'm only using it. So do you have an alternate solution?

The only mods included in this template is the COWOA. There's no other core file changes. And COWOA does not alter the create account scripting, just adds a bit. I am using the Diva's github version. Haven't looked at Dave's.

DrByte, I appreciate your attention to this! I have to make a tiny complaint though. A change log would be massively helpful.

[delia]

One more question about the new version of the mod. It's still says it works for both 1.5.5 and 1.5.6 but the package only has a folder for 1.5.6. Is this still supposed to work for 1.5.5?

[davewest]

One more question about the new version of the mod. It's still says it works for both 1.5.5 and 1.5.6 but the package only has a folder for 1.5.6. Is this still supposed to work for 1.5.5?

Drag and drop for 1.5.6b... compare for 1.5.5 works... I had the code based on php7+, but DrByte fixed that with his edits. I've not had time to test on a 1.5.5 version yet..

[athena]

Thanks for working on this, DrByte.

[DrByte]

Here's a simple patch to ignore http URLs in customer names:
https://github.com/zencart/zencart/pull/2436

It does similar to what Delia posted, just in a different way to catch https as well.

[davewest]

Sent an update in...

Added a function to catch url's in most common fields that I could add url's to, detects, and resets to the success page. For me, this forced a session reset due to the hack I used.

Unfortunately, I was in a rush editing, testing, packaging so the first update I sent in had a reference to my registration success page, I just sent a corrected update to replace it with the correct reference page as

Code:

  zen_redirect(zen_href_link(FILENAME_CREATE_ACCOUNT_SUCCESS, '', 'SSL'));

[swguy]

BTW, Incredibly clever mod, Dave. Thank you for contributing this.

[swguy]

One very small suggestion would be to enhance the wording on the Slider Question Text setting. Perhaps something like "Please move the slider until you see the word 'Human'. This helps us combat spam."

[davewest]

One very small suggestion would be to enhance the wording on the Slider Question Text setting. Perhaps something like "Please move the slider until you see the word 'Human'. This helps us combat spam."

I use 'Please slide to the number 21!' on my site, but ether way, I haven't tried a text reader on it yet... comes as default, but easy to change.

One thing I've also been tracking, bots tend to pick the default value in the input field first. The default value is used to position the slider at startup. This value '25' should not be used as your test number. I used a max of 50, however larger numbers can be used, but the higher the number the harder it is to use your finger on a phone!