Spam on account form

[Fabcw2b]

Prestashop 1.6.1.23

Eicaptcha 0.4.15

Issue description : Captcha does appear on account creation form and seems to work fine (won't create account if captcha not checked). The problem is spam account creation occurs, i guess there is something with disabled js allowing robots to pass validation.

[ross235]

I get the same problem. Prestashop 1.6.1.1 and Eicaptcha 0.4.15. Please help, many thanks

[webpleasure]

Same problem here. PS 1.6.1.23 Eicaptcha 0.4.15

[i12fehea]

Same problem here Ps 1.6 v0.4.11

[hgonzag]

Ps 1.6 Eicaptcha 0.4.15 Same problem, if the js is disabled the recaptcha don't work

[alvesjc]

Hello.

I have the same issue, but installing the latest version today 0.4.15 doesn't fix it. I'm under user creation spam.

In contact form is ok,I use a java blocker for testing, when block everything recaptcha still fails. The only issue I still see is that I can't use invisible recaptcha. If I set up the keys for invisible recaptcha I always get validation fail.

I'm running 1.6.1.22 on PHP 7.0.33-6

[matteeos]

I can confirm bug on presta: 1.6.1.9 with ei version 4.1.14. I was able to create account sending POST without captcha validation. Now, I receive a lot of spam.

curl -X POST \
  'https://shop-page.com/login?id_gender=1&customer_firstname=Mike&customer_lastname=Testing&email=miketest%40gmail.com&passwd=pass&days=&months=&years=&newsletter=1&optin=1&email_create=1&is_new_customer=1&back=&submitAccount=' \
  -H 'content-type: application/x-www-form-urlencoded'

[xfasterx]

If you have a solution then please post it here.

There are several bots running these spam account creation. I already have blocked Several ranges of Ip's at server level from Estonia to block these bots.

[hgonzag]

I bought a comercial recaptcha and problem solved, I can't wait.

Best regards

[tucoinfo]

Thanks for the module. Maybe some backend PHP is missing for account creation validation. For now, I have blocked the Estonian spam network 46.22.208.0/20 (not sufficient).

Merci pour le module. Est-ce qu'il manque un peu de traitement PHP en back pour la création de compte ? En attendant, blacklist réseau Estonien 46.22.208.0/20 (pas suffisant).

[matteeos]

Guys, I got temp solution for now. Here is git patch with changes I have done. After adding them, reinstall module to make sure new hook has been registered, then check module installation by clicking in the advanced tab.

From 22c71021093c31c707be8cea98194149dffc2238 Mon Sep 17 00:00:00 2001
From: matteeos <hidden@mail.com>
Date: Mon, 22 Apr 2019 18:59:27 +0200
Subject: [PATCH] fix missing captcha validation

---
 controllers/front/AuthController.php |  3 +++
 modules/eicaptcha/eicaptcha.php      | 17 +++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/controllers/front/AuthController.php b/controllers/front/AuthController.php
index a0c1f3b..bb98088 100755
--- a/controllers/front/AuthController.php
+++ b/controllers/front/AuthController.php
@@ -384,6 +384,9 @@ class AuthControllerCore extends FrontController
      */
     protected function processSubmitAccount()
     {
+        if (!Hook::exec('createFormCheckAccess')) {
+            return;
+        };
         Hook::exec('actionBeforeSubmitAccount');
         $this->create_account = true;
         if (Tools::isSubmit('submitAccount')) {
diff --git a/modules/eicaptcha/eicaptcha.php b/modules/eicaptcha/eicaptcha.php
index 3f5146b..841b759 100644
--- a/modules/eicaptcha/eicaptcha.php
+++ b/modules/eicaptcha/eicaptcha.php
@@ -59,7 +59,8 @@ class EiCaptcha extends Module
                 || !$this->registerHook('header') 
                 || !$this->registerHook('displayCustomerAccountForm') 
                 || !$this->registerHook('contactFormAccess') 
-                || !Configuration::updateValue('CAPTCHA_ENABLE_ACCOUNT', 0) 
+                || !$this->registerHook('createFormCheckAccess')
+                || !Configuration::updateValue('CAPTCHA_ENABLE_ACCOUNT', 0)
                 || !Configuration::updateValue('CAPTCHA_ENABLE_CONTACT', 0) 
                 || !Configuration::updateValue('CAPTCHA_THEME', 0)
                 || !Configuration::updateValue('CAPTCHA_CONTACTF_BTN_SELECTOR', '#submitMessage')
@@ -484,6 +485,18 @@ class EiCaptcha extends Module
         return 1;
     }

+    public function hookCreateFormCheckAccess() {
+        require_once(__DIR__ . '/vendor/autoload.php');
+        $captcha = new \ReCaptcha\ReCaptcha(Configuration::get('CAPTCHA_PRIVATE_KEY'));
+        $result = $captcha->verify(Tools::getValue('g-recaptcha-response'),
+                                   Tools::getRemoteAddr());
+
+        if (!$result->isSuccess()) {
+            $this->errors[] = Tools::displayError('incorrect response to CAPTCHA challenge. Please try again.');
+        }
+        return $result->isSuccess();
+    }
+

     /**
      * Check if needed composer directory is present
@@ -515,7 +528,7 @@ class EiCaptcha extends Module
             $success[] = 'the module is compatible with your version';
         }
         //Check if module is well hooked on all necessary hooks
-        $modulesHooks = array('header', 'displayCustomerAccountForm', 'contactFormAccess');
+        $modulesHooks = array('header', 'displayCustomerAccountForm', 'contactFormAccess', 'createFormCheckAccess');
         foreach ($modulesHooks as $hook) {
             if (!$this->isRegisteredInHook($hook)) {
                 $errors[] = 'the module is not registered in hook '.$hook;
-- 
2.17.1

[alvesjc]

Hello Matteeos,

Still fails to me, the captcha is not shown, it shows the text saying captcha, but then the captcha does not appear and I'm still able to create the account.

Did this last fix solved the issue to someone?

[xfasterx]

Actually i did not install the module. I came here because i saw spam account creation on several of my prestashop websites. And then did read about this module not working correctly. On two of my websites i see the ip of the spammers change about every day (after i block them). Now in the last hours they where doing this from this ip (so i blocked it) deny 147.78.64.234; Its easy to block and delete the spam account. A working solution with captcha would be better. I would only need it for account registration on prestashop 1.6

[alvesjc]

I'm looking in my log files for this post commands and can't find them.

I'm trying to build a rule in f2b to kill this at once, but without having an ideia how they are doing this t's useless.

Is there a way to give more verbosity to apache logs?

[tucoinfo]

@xfasterx blacklisting IP ranges like I suggested is a temporary solution. With F2B @alvesjc it is more automatic but we need to test @matteeos patch for a proper fix.

[alvesjc]

@tucoinfo how did you see the IP ?

Wich log file it hit?

[xfasterx]

Check your shop database under customer registration

[alvesjc]

ohh... ok, thought it was through log files... :(

[xfasterx]

Now also on deny 85.10.56.3;

[xfasterx]

Surely they can use any ip / proxy they need.

[alvesjc]

found it in logs:

"POST /pt/login HTTP/1.1" 302 - "-" "-"

only see this...

85.10.56.3 - - [22/Apr/2019:21:33:43 +0100] "GET /pt/login HTTP/1.1" 200 30507 "-" "-" 85.10.56.3 - - [22/Apr/2019:21:33:47 +0100] "POST /pt/login HTTP/1.1" 302 - "-" "-" 85.10.56.3 - - [22/Apr/2019:21:33:52 +0100] "GET /pt/my-account HTTP/1.1" 200 16033 "-" "-"

[alvesjc]

Tried to block this:

"POST /pt/login HTTP/1.1" 302 - "-" "-"

lets see...

[xfasterx]

Its easy to check through this link. https://cleantalk.org/blacklists/85.10.56.3 You can also block the whole range which you can see under Network on that page: 85.10.48.0/20

I just use one IP block file for all my websites. After i updated the file just reload the webserver. Yesterday i already started to block country's from that region. I will now also do that for Croatia, since those are country's where i will never have customers from. These ip block lists can be easily build for free through https://www.countryipblocks.net/acl.php

[xfasterx]

https://webmasters.stackexchange.com/questions/23584/why-there-suddenly-were-so-many-400-request-in-my-access-log

[alvesjc]

use this to block country

http://www.ipdeny.com/ipblocks/

Then use a script to get the file with the ipblocks

[nenes25]

Hi all,

Sorry for my late reply it was a large easter week-end off ;) I think that @matteeos solution is the good one, using the same behavior as for the contact form. Could you do a pull request ? Otherwise i'll see to apply your diff file.

Regards,

[matteeos]

@nenes25 it would be better if you apply a patch cause I am not a prestashop expert. Probably you can do some improvements there. For me it is working fine, since yesterday I don't get spam.

@alvesjc you have probably wrongly installed module that you don't have captcha displayed, we are talking here about an issue with bypassing captcha when it's displayed.

[pwojewodzic]

Hello, after log analysis I got this IPs:

• 85.10.56.3
• 46.22.220.10
• 46.22.220.30
• 46.22.220.47
• 46.22.220.49
• 147.78.64.234

[nenes25]

@matteeos ok i'll review it and apply asap. Thanks !

[mhajder]

Hello, after log analysis I got this IPs:

• 85.10.56.3
• 46.22.220.10
• 46.22.220.30
• 46.22.220.47
• 46.22.220.49
• 147.78.64.234

They use vpnunlimitedapp [dot] com. Therefore blocking ip addresses will not be effective. I added a firewall rule to my CloudFlare account and currently have peace.

[pwojewodzic]

Hello, after log analysis I got this IPs:

• 85.10.56.3
• 46.22.220.10
• 46.22.220.30
• 46.22.220.47
• 46.22.220.49
• 147.78.64.234

They use vpnunlimitedapp [dot] com. Therefore blocking ip addresses will not be effective. I added a firewall rule to my CloudFlare account and currently have peace.

Can you share a config for this rule in CloudFlare?

[mhajder]

Hello, after log analysis I got this IPs:

• 85.10.56.3
• 46.22.220.10
• 46.22.220.30
• 46.22.220.47
• 46.22.220.49
• 147.78.64.234

They use vpnunlimitedapp [dot] com. Therefore blocking ip addresses will not be effective. I added a firewall rule to my CloudFlare account and currently have peace.

Can you share a config for this rule in CloudFlare?

I am using:

(not ip.geoip.country in {"PL" "GB"} and http.request.uri.path in {"/en/login" "/pl/login"} and http.user_agent eq "")

Then… Challenge (Captcha)

I also recommend more general:

(http.request.uri.path contains "login" and http.user_agent eq "")

This must be set in Firewall> Firewall Rules> Create a Firewall rule You can edit expression and put there.

[pwojewodzic]

Hello, after log analysis I got this IPs:

• 85.10.56.3
• 46.22.220.10
• 46.22.220.30
• 46.22.220.47
• 46.22.220.49
• 147.78.64.234

They use vpnunlimitedapp [dot] com. Therefore blocking ip addresses will not be effective. I added a firewall rule to my CloudFlare account and currently have peace.

Can you share a config for this rule in CloudFlare?

I am using:

(not ip.geoip.country in {"PL" "GB"} and http.request.uri.path in {"/en/login" "/pl/login"} and http.user_agent eq "-")

Then… Challenge (Captcha)

I also recommend more general:

(http.request.uri.path contains "login" and http.user_agent eq "-")

This must be set in Firewall> Firewall Rules> Create a Firewall rule You can edit expression and put there.

Thank! Dzięki!

[nenes25]

Hi,

I was not able to create customer using this syntax.

curl -X POST \
  'https://shop-page.com/login?id_gender=1&customer_firstname=Mike&customer_lastname=Testing&email=miketest%40gmail.com&passwd=pass&days=&months=&years=&newsletter=1&optin=1&email_create=1&is_new_customer=1&back=&submitAccount=' \
  -H 'content-type: application/x-www-form-urlencoded'

By the way i've done a quick fix, can someone who have to problem can test with this module version ? Here an attached zip eicaptcha.zip

I've chosen an approach without override.

Regards

[xfasterx]

@nenes25 Actually in the last eight hours there was no spam account creation om my webshops anymore. Later today i will install the module (for the first time) on one of my webshops. I have more then one website where they where creating spam account. I will install the module on one of these websites. . So i will be able to see if they start creating the spam accounts again and on the website where the module is installed if it works.

[alvesjc]

@nenes25

It seems to be working now, let's see if I still get spamed.

I'll give more feedback later.

Thank you for your efforts.

Regards

[xfasterx]

Btw is it possible to only use the module for the registration page ? How do i set that up ?

[noeldum]

The guy spamming in Estonia must have stopped his bots. I disabled captcha yesterday evening (for some random reasons) and since this morning there has been no account created.

Just to bare in mind for the testing. If no spammers are acting then we can't prove the new patch.

[mhajder]

I'm still getting more spam.

{
  "id": "4cbd95ccab42****",
  "country": "HR",
  "ip": "85.10.56.3",
  "protocol": "HTTP/1.1",
  "method": "GET",
  "host": "******************",
  "user_agent": null,
  "uri": "/en/login",
  "request_duration": 4000000,
  "triggered_rule_ids": [
    "8d6d18e37b9448288199e10cde1e****"
  ],
  "action": "challenge",
  "cloudflare_location": "VIE",
  "occurred_at": "2019-04-23T05:54:50.98Z",
  "rule_detail": [
    {
      "id": "",
      "description": "Filter: 3cf360e98fc54e8a8ba49b582271****"
    }
  ],
  "rule_message": null,
  "type": "firewallrules",
  "rule_id": "8d6d18e37b9448288199e10cde1e****",
  "zone_id": "b8da770a53e88b5384c00b9bc97b****",
  "cookie": ""
}

[nenes25]

@xfasterx @alvesjc thanks for your feedbacks. So I'll wait a bit for do the next release.

@alvesjc , yes you just have to enable the captcha on the account, and not in the contact page in the module configuration in back office.

@Rzeszow have you try with patched version ?

[mhajder]

I am currently using the old version because I use a firewall anyway.

[nenes25]

Ok thanks for the feeback. On my side i've checked and deploy the patched version on a dev environnement. And everythings seems to works well with javascript disabled : https://web.h-hennes.fr/dev/prestashop/prestashop_1-6-1-23/fr/connexion?back=my-account#account-creation

[tucoinfo]

@nenes25 I have updated 4 sites - will let you know.

I would also expect this warning in my GG reCAPTCHA account to disappear in the following days:

We detected that your site is verifying reCAPTCHA passed solutions less than 50% of the time. This could indicate a problem with your integration with reCAPTCHA.

[Thorfy]

@nenes25 I am currently testing your release, it seems to work pretty good, thx

[xfasterx]

@nenes25 I can confirm that the creation of spam account has started again at 13:00 hours. A spam account is created about every two hours. I see this on two of my prestashop websites.

On one website i just now installed your updated module (first time i installed your module ever) First i created the google keys etc. I can confirm that the module is installed and shows the captcha on the registration page. On the page itself i can now only create an account when i tick the captcha box.

So within an hour ill be able to see is this works for the spam account creation also.

Two remarks. In the module under advanced parameter i saw this message. Errors the module is not registered in hook header So i added it manually through positions under hook displayheader. Then the captcha works on the registration page. But on the module page it still states. Errors the module is not registered in hook header. Even after disabling and clearing cashing.

Secondly a question, on the Google recaptcha page. You can also select invisible recaptcha badge instead of I'm not a Robot. Could the invisible recaptcha also be used instead I'm not a Robot ?

P.s. I can confirm that the latest spam ip is: 37.235.49.244

[alvesjc]

So far so good, no more spam accounts.

[alvesjc]

@nenes25

I've tried to set invisible recaptcha but it fails validation always.

do you have any ideia why?

[xfasterx]

I can confirm that the spam account is still created on the website where the module is not installed.

The website with the installed captcha module now blocks the account creation from spam accounts. Great Job.

[nenes25]

@alvesjc this module is not compatible with invisible captcha, that's why it doesn't work ;) see #94

Thanks all for your tests, the fix seems to be good ! I'll see to release a new version tommorow with this fix ;)

Regards,

[tucoinfo]

@nenes25 I'm pretty sure the fix is good too. I see the same IPs attempting again but no acct creation. Thanks again!

[webpleasure]

@nenes25 thanks for the update but on my site I continue to have spam registrations. I overwrote via ftp with the new module (posted here) and cleaned the cache. Do I have to do anything else?