spam mods not working on contact page or on create account

[delia]

various zen cart versions 1.5.4 and 1.55, various websites, various servers - the zenNonCAPTCHA is not working. Trying to find information on this is challenging to say the least in the forum. Some are reporting that extra bits of code is necessary to stop some of the create account problems. I know some of this started a few months ago but I now have several website owners who have contacted me about this. I really want to avoid google based recaptchas but I hear that those aren't working either. We need someone to tackle this in general. The zenNonCAPTCHA was promising but it sometimes just doesn't work except to reduce the volume. It's becoming a major issue for the community. What can we do?

[dbltoe]

Alive, well and being worked on at https://www.zen-cart.com/showthread....and-Honey-pots

Don't know how the bots are learning the backend codes but, this new one looks good. Mod has been working fine for us but does require the regular change of codes.

[delia]

thanks! I'll be glad to test it! oh crap

[delia]

That is the one that isn't working.

[davewest]

That is the one that isn't working.

Actually, its working grate for me... unfortunately, I'm not getting anything other then the above... which is no help.. so hears another wack..

I've been answering as much as I can... but seems no one wishise to answer the posting tips so all I can do is play wack-a-mole at a answer... CAPTCHA, honey pot or Google is only one piece of the answer, on my site I'll test at different levels of attacks including sql injections before I ever go live with a new form. When I tested a vanilla install with knowing attacks, I can not get any scripting into the sql table!

When I start the form, by the time I get to the CAPTCHA, I have other things in place that keeps the form human friendly. Which is nice because that in it self stop most attacks on there own.

I also block IP's that I don't sell to or show hack attempts, I block email address and domains I don't sell to or try to spam me.. I turn off countries in the address system that I don't sell to.

When I hear that html is getting into the sql for names/addresses, that is a failure of basic sensitization.. To do that, something was changed in the header file.. may be a template issue or the site was hacked.

Most of the issues could be resolved by upgrading to the latest code Zen Cart, PHP and email servers... I had to leave a host that refused to upgrade there email servers which was getting hacked all the time.

I have traced attempts on my site and found the honey pot was stopping the bots! Which is why I say its working...

If you don't want to answer the questions, PM me and I can checkout the front side or work something out...

[delia]

Dave, not criticizing you for anything. I know you've been working on it. I was just saying there needs to be a wider effort and something the core team really should devote some time to. I understand your issues - my clients aren't good at details or responses either. There is another thread specifically tackling the fake accounts that use html as names. This is not a template issue and needs to be looked at along with what you are trying to do.

I've installed your mod on several sites. If they aren't having a major problem, it stops it. The bigger the problem and just in the last week I'm seeing it not work on other sites. I'll post on your other thread shortly.

[davewest]

Dave, not criticizing you for anything. I know you've been working on it. I was just saying there needs to be a wider effort and something the core team really should devote some time to. I understand your issues - my clients aren't good at details or responses either. There is another thread specifically tackling the fake accounts that use html as names. This is not a template issue and needs to be looked at along with what you are trying to do.

I've installed your mod on several sites. If they aren't having a major problem, it stops it. The bigger the problem and just in the last week I'm seeing it not work on other sites. I'll post on your other thread shortly.

Its not the idea of criticizing, but I would love to improve or correct errors. The main thing is that html getting into places it wouldn't with a vanilla install of the latest ZC.. The problem could be from a incomplete upload or damage file. one member fixed there problem by uploading a default file. I'm just trying to get across that passing by a correctly installed CAPTCHA means you have deeper problems to look at. You don't need bots to inject or fill forms... firefox has plugins for that.

[davewest]

concerning the issue of accounts getting created with url spam accounts... I found after some testing it was easy to reproduce this using some simple tools.. CAPTCHA would not stop this at all. Blocking offending IP range would be best. I was not able to create anything other then url spam, they hope you well access the url where they could do more damage..

I think a url trap in the back end is possible, well have to play with it some more..

Tested with ZC1.5.6b, PHP7.3 with nonCAPTCHA in development mode and heavy modified live site.

[delia]

Thanks Dave! Unfortunately this seem to be coming from a lot of different places and blocking ip ranges is just not an option. My server has multiple countries blocked completely - the worst offenders of spamming and attacks. Actually they've gone a bit overboard on that recently.

[davewest]

Thanks Dave! Unfortunately this seem to be coming from a lot of different places and blocking ip ranges is just not an option. My server has multiple countries blocked completely - the worst offenders of spamming and attacks. Actually they've gone a bit overboard on that recently.

Have you back traced the user through you raw access logs to see what they was using, user agent. I block some 14 crawlers I've found from offending sites.