VirtueMart Forum

VirtueMart 1.1.x [ Old version - no longer supported ] => Security (https) / Performance / SEO/ SEF issues VM 1.1 => Topic started by: HelloMcFly on February 24, 2009, 06:59:41 am

Title: [SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on February 24, 2009, 06:59:41 am
I am trying to cut down on the number of SPAM registrations in Virtuemart.  I noticed that non-human registrants usually enter the same FIRST and LAST names (i.e. Mybobshoes Mybobshoes)

Is there a change I could make somewhere to compare the form fields for First and Last names, and if they are equal block the registration?

for example: if($_POST['firstname'] == $_POST['lastname']) $spam=true;

taken from here: http://webaim.org/blog/spam_free_accessible_forms/

I am using J! 1.5.9 and VM 1.1.3 and I am already running security images as a first line defense.  (Doesn't seem to help.)

I appreciate any thoughts you might have.

Warm regards,
Dan Yager
www.quickheads.com
Title: Re: block SPAM registrations. . .
Post by: Bruce Morgan on February 24, 2009, 16:13:07 pm
I have had the same problem and it seems to be increasing lately.  I think this should be addressesbefore it gets out of control.

Bruce
www.pepper-passion.com
Title: Re: block SPAM registrations. . .
Post by: HelloMcFly on March 01, 2009, 13:15:21 pm
OK . . . So I get some sympathy but no help!  LOL!  ???

Can someone at least tell me what files are involved in the VM registration process?  I tried searching for these, but I was just shooting in the dark.

If someone could tell me where to find this information, I would be willing to try and write the code myself and share it with everyone.

Thanks for looking,
Dan Yager
www.quickheads.com
Title: Re: block SPAM registrations. . .
Post by: Nirm on March 01, 2009, 15:16:30 pm
Why not install a CAPTCHA on VM registration - VM supports Security Images component.
Title: Re: block SPAM registrations. . .
Post by: HelloMcFly on March 01, 2009, 16:42:55 pm
Nirm. . . Uh. . . I already did that.  Please read the first post I made.

Either, the bots have figured out a way around this, or a human spammer is registering.  I could cut down on about 95% of the spam registrations if I could just block registrations where the firts name equals the last.

There is a javascript "submitregistration" that I can see when I view the VM registration page source.  This error checks the form before submission.  I could add a simple check to that javascript, if I could figure out where it's being called from.

Any thoughts?

I appreciate the response Nirm.

Thanks,
Dan Yager
www.quickheads.com
Title: SOLVED: block SPAM registrations. . .
Post by: HelloMcFly on March 03, 2009, 14:19:25 pm
I found where the submitregistration javascript was being called here:

http://forum.virtuemart.net/index.php?topic=47168.msg157987#msg157987

so I wrote the following addition to check if the first name equals the last:

Code: [Select]
        // Added by Dan Yager to reduce SPAM registrations.
        if( isset($required_fields['first_name']) ) {
             echo '
             if (form.first_name.value == form.last_name.value) {
                    alert( "Your registration cannot be accepted at this time. We are Performing maintenance." );
                    return false;
             }';
        }

It's perhaps a little oversimplified, but I don't want to give the SPAMMERS too much help in figuring out what they did wrong!  ::)

Hope this helps someone else.

Cheers,
Dan Yager
www.quickheads.com
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on March 03, 2009, 18:18:11 pm
Can you advise where you inseted these lines and whether it appears to be working?

Bruce
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 04, 2009, 15:41:48 pm
Sheesh, I left a link to it.   ???

I'll spell it out for you.  I changed the ps_userfield.php file located here:

administrator\components\com_virtuemart\classes\ps_userfield.php

This checks the registration form for errors before submitting the registration.  The script works fine and is tested.  The VM registration will not be submitted if the FIRST NAME field is equal to the LAST NAME field.

So I consider that issues solved.

However, after installing this HACK I am still getting SPAM registrations where the FIRST NAME equals the LAST NAME.  This leads me to believe that SPAMMERS are using some other method to register on my site besides the VM registration page.  (This would explain how they are getting around the SECURITY IMAGES.)  :-\

I assume then that they are using the JOOMLA "mod_login" module somehow, even though it is unpublished, and set for "special" access.  Does anyone know how they are circumventing this?  Are there other modules that would allow SPAMMERS to register on my website?

Please let me know.

I am NOT using Community Builder or any other registration modules that I can think of.  So is there a backdoor link to the Joomla registration page?

I appreciate your help.

Warm regards,
Dan Yager
www.quickheads.com
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on March 04, 2009, 18:19:10 pm
I hope this gets some serious attention from the guys in the trenches doing the coding.  It would be helpful to know if the vulnerability is in Joomla or VM.  I have a sneaking suspicion it might be VM.  I had a related problems with the same type of spammmer requesting information on various products even though I had commented out the code on the plypage template.  It took some additional editing to solve the problem.  This is over my head as far as coding is concerned but I would like to help with testing if you make any more progress on a solution.

Bruce
www.pepper-passion.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 05, 2009, 06:56:18 am
Hmmm?  It's really quite frustrating.  I'm still getting a lot of SPAM registrations.  Is there a way to log where they are coming from?  Is there a way to know what form they used to register?  I would really like to know.

This is really starting to SUCK!

Thanks,
Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 05, 2009, 15:47:22 pm
So I did a Google search for "backdoor registrations joomla" and this led me to a backdoor link that would allow SPAMMERs to register on my website and bypass the Virtuemart registration.

If you add /index.php?option=com_registration&task=register to the end of your site's URL you may see the registration page I'm talking about.  This appears even though I unpublished the Joomla Log-in module in the back end.

I am running sh404SEF on my site, so I simply created a SEF URL to redirect people from the address above to the VM registration page.

It remains to be seen if this is the only back door registration possible on my website, but I will report back on my results.  I received 7 SPAM registrations in the last 24 hours, anything less than that in the next 24 hours would be a blessing.   :P

Wish me luck!

Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on March 05, 2009, 17:54:29 pm
For those of us who do not use SEF would it also be possible to delete the Joomla registration php file or disable it by changinf its name?  I have no use for the standard Joomla registration.

Bruce
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 05, 2009, 22:14:10 pm
I don't know.  Could you try it and report back here?  If something goes horribly wrong you could replace it from the install files.  (Or better yet back up before you begin.)  ;)

I have had no SPAM registrations since this morning when I installed the fix above.  I'm still keeping my fingers crossed.

Cheers,
Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 06, 2009, 14:54:05 pm
In the last 24 hours I had two SPAM registrations, so at least it's an improvement.  Still need to figure out how they're getting in though.

I'll keep looking.

-Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on March 06, 2009, 18:35:27 pm
I did some exploring in the various folders on my serfver and was unable to find out where the basic Joomla registration is located.  I dio remember following instruction form this forum to make the VM registration the default one or maybe that beacme a standard feature with the latest version.  In any case I find the standatd Joomla registration worthless and would just as soon delete it if it will not cause any problems.  Any suggestions where to look?

Bruce
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 07, 2009, 08:58:33 am
Awe Crap!  ???

I just discovered one minor flaw to my "first_name = last_name" script and about 10 SPAM registrations in my inbox!

I woke up in the middle of the night, thinking that I might have figured out how the SPAMmers wer getting around my little check.  Unfortunately, the script I added above is written in Javascript, so all a SPAMmer needs to do to circumvent it, is. . . well, turn off Javascript in their browser to get around it.

So I'm back to the drawing board.  I will need to write the form verification in PHP. 

Dang! I guess my day with only 2 SPAM registrations was just a flukey coincidence!

I'll keep trying though!

-Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: filterit on March 07, 2009, 09:08:40 am
How do you confirgure sh404sef to do this

Have a redirect:

index.php?option=com_virtuemart&Itemid=99&lang=en&page=shop.registration
going to

Create-customer-account.html
do I just add this to the aliase list?


index.php?option=com_registration&task=register
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 07, 2009, 17:03:39 pm
I haven't taken the time to try and get sh404sef to work with Virtuemart.  I tried it once and the checkout process didn't work.  (So I'll deal with that later.)  For right now, sh404SEF is turned off for the Virtuemart component.

However, you can add "index.php?option=com_virtuemart&Itemid=99&lang=en&page=shop.registration" into the SEF URL block instead of the alias, and that will in turn, redirect to the "Create-customer-account" URL.

Sounds a little convoluted I realize, but it worked for me.

Please give it a try and report your results back here.

Thanks,
Dan Yager
www.quickheads.com

Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 07, 2009, 17:07:35 pm
Just FYI: I spent some time working on the php scripts in the file "ps_shopper.php" to try and do the form authentication in PHP instead of Javascript.  I got it working, but when I turned of Javascripting to test the PHP further it stopped working.

So that seems like a dead end right now.  I'll do some more research and report my findings back here.

Stay tuned!

Of course, I would appreciate some help, if anyone knows how all of this works!  Sheesh!

Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: vjtemplates on March 07, 2009, 17:50:10 pm
Simply remove the "Register" link and let your buyers add products to cart first before creating a new account.
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 08, 2009, 04:35:21 am
That would be great, except I want them to register to use the forums, and access other "members only" areas of the site, before they buy..

Nice thought though.

Dan Yager
www.quickheads.com
Title: Re: [NOT QUITE SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 08, 2009, 13:46:42 pm
OK, I'm trying a new HACK of the file ps_shopper.php located here:

administrator\components\com_virtuemart\classes\ps_shopper.php

I added a few lines in the PHP code to check if FIRST NAME = LAST NAME

right below the following code:

Code: [Select]

/**
* Function to add a new Shopper into the Shop and Joomla
*
* @param array $d
* @return boolean
*/
function add( &$d ) {
global $my, $auth, $mainframe, $mosConfig_absolute_path, $sess,
$VM_LANG, $vmLogger, $database, $mosConfig_useractivation;

$ps_vendor_id = $_SESSION["ps_vendor_id"];
$hash_secret = "VirtueMartIsCool";
$db = new ps_DB;
$timestamp = time();

if (!$this->validate_add($d)) {
return False;
}



I added:


Code: [Select]
//Added By Dan Yager to prevent SPAM
                   // www.quickheads.com

if (vmGet($d,'first_name','First Name' ) == vmGet($d,'last_name','Last Name' )) {
return False;
}

I did some testing and this doesn't seem to be affected if I turn javascript off in my browser.  It will return the registrant back to the registration page without adding them.  This will allow a human to correct the First of Last name, but doesn't give a SPAMMER too much information.

This doesn't affect normal human users that are trying to register though.  I'll give another 24 hours and see if it cuts down on the SPAM registrations.

I'll report back here with the results.

Cheers,
Dan Yager
www.quickheads.com

Title: [SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 09, 2009, 13:22:55 pm
I received a grand total of 1 SPAM registration yesterday, and that no longer had the first and last names equal.  So I think I've got them on the run!  (Fingers crossed.)  :-\ 

My hope is that SPAMMERS won't take the time to figure out what's wrong with the registration form and will simply move on to an easier target.  So far this seems to be working.

If at some point this scheme stops working, I'll add a few more lines of code to check some of the other fields.  (Like Address1 = Adress2)  But for now I'm very pleased.  Time will tell though.

I hope others find this thread useful.

Cheers,
Dan Yager
www.quickheads.com
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Scar on March 12, 2009, 00:38:38 am
Have you tried the VM registration redirector plugin? If you have a captcha on your VM registration this thing might do the trick without hacking. This says it redirects all registration requests to VM registration. Haven't tried it myself yet but I'm sure going to.

http://extensions.joomla.org/extensions/access-&-security/authentication/7170/details
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on March 13, 2009, 15:21:14 pm
The SPAM registrations were coming from the VM registration page.  So simply redirecting all registrations to it wasn't the answer.  :-[

You'll see that in one of previous posts that I was redirecting all registrations to VM using sh404sef and was still getting SPAM.

My specific requirement was that it wouldn't allow registrations where the first and last names were equal.  And only the hack seemed to help.

I haven't gotten any SPAM since I installed it, but normal human beings are able to register just fine.  Hope this makes sense.

Please let me know.

Cheers,
Dan Yager
www.quickheads.com

Title: Re: [SOLVED] block SPAM registrations. . .
Post by: msit on May 28, 2009, 12:08:56 pm
Hello McFly,

that's really a good hint, and I hope, that it will also solve the same problem at my site!

Any idea, how to get and save the IP-address of those, who want to register?

Often the spammer come from special countries, and it may be an additional possibility to block them by .htaccess.
Or compare the IP-address with country-lists? This might make it possible to check, if the post-address is real.

Or does anyone know, how to block the registration by the used email (.ru,.cn...)?

It's really necessary to improve the security of Joomla and VM! A few weeks ago a hacker destroyed 5 of my Domains on 1und1-host by posting a well-known virus to the server using Joomla or VM. The hosters do not check servers for viruses. So prevention is the only way..

Have a nice day
msit
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: korb on May 29, 2009, 17:59:53 pm
I found a nice captcha and I just implemented in my website.

Please try it for yourself.

For me it is PERFECT!

Yeah... LINK HERE (http://code.google.com/p/joomla15captcha/)

Danny
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: brainz on December 11, 2009, 15:23:27 pm
Thank you....

Sometimes simple solutions are often the best...

regards
brainz
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on December 11, 2009, 15:55:29 pm
I also installed a re-captcha plug-in and Spam registrations were still geting through.  I also instslled the block disosable addresses plug in and it reduced ther number further but I get get an occasional spam registration and I am wondering where the hole is in the safety net.  Al of the Spam registrations are the same type with identical first and last names.

I have the Vituemart registration set up as the default and protected with re-captcha. The Spam registration are coming via the Joomla registration as they contain only the user name and email.  Is there a way to diable the joomlas registration if you are not using it?

Bruce
ww.pepper-passion.com
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: brainz on December 13, 2009, 06:16:20 am
Regardless of it being a joomla registration or a virtuemart registration this hack works on the premise that the Firstname and the Lastname are the same if they are the same then it simply shows the user/bot the registration page again.

If the Firstname and the Lastname are different it allows registration of the user.

its a very simple hack:

open this file..

administrator\components\com_virtuemart\classes\ps_shopper.php

Around line 276 add this code:

Code: [Select]
//Added By Dan Yager to prevent SPAM
                   // www.quickheads.com

if (vmGet($d,'first_name','First Name' ) == vmGet($d,'last_name','Last Name' )) {
return False;
}

Save the file and replace it with the original one... Making sure you have a backup of the original file offcourse.

That simple...

Once the file has been updated on users with a different firstname and lastname will be able to register.

Done...  Thanks Dan Yager or should i say HelloMcFly

Regards
Brainz
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Nick Miletich on February 18, 2010, 10:35:15 am
@ HelloMcFly

It was a pleasure reading about your trials and tribulations with the spambots.  thanks.  ;)
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: bpmurphy on April 23, 2010, 03:16:25 am
I get a parse error when I use this:

Parse error: syntax error, unexpected T_IF, expecting T_FUNCTION
Code: [Select]
//Added By Dan Yager to prevent SPAM
                   // www.quickheads.com

if (vmGet($d,'first_name','First Name' ) == vmGet($d,'last_name','Last Name' )) {
return False;
}

Any idea?
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Uriel on December 28, 2010, 09:53:52 am
OK, I'm trying a new HACK of the file ps_shopper.php located here:

administrator\components\com_virtuemart\classes\ps_shopper.php

I added a few lines in the PHP code to check if FIRST NAME = LAST NAME

right below the following code:

Code: [Select]

/**
* Function to add a new Shopper into the Shop and Joomla
*
* @param array $d
* @return boolean
*/
function add( &$d ) {
global $my, $auth, $mainframe, $mosConfig_absolute_path, $sess,
$VM_LANG, $vmLogger, $database, $mosConfig_useractivation;

$ps_vendor_id = $_SESSION["ps_vendor_id"];
$hash_secret = "VirtueMartIsCool";
$db = new ps_DB;
$timestamp = time();

if (!$this->validate_add($d)) {
return False;
}



I added:


Code: [Select]
//Added By Dan Yager to prevent SPAM
                   // www.quickheads.com

if (vmGet($d,'first_name','First Name' ) == vmGet($d,'last_name','Last Name' )) {
return False;
}

I did some testing and this doesn't seem to be affected if I turn javascript off in my browser.  It will return the registrant back to the registration page without adding them.  This will allow a human to correct the First of Last name, but doesn't give a SPAMMER too much information.

This doesn't affect normal human users that are trying to register though.  I'll give another 24 hours and see if it cuts down on the SPAM registrations.

I'll report back here with the results.

Cheers,
Dan Yager
www.quickheads.com



Hello McFly,

Thank you for all that you have gone through so far!
Could you perhaps tell me if this would work on VirtueMart 1.1.2 stable?
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on January 06, 2011, 23:20:18 pm
I forgot that I had implemented this hack and had lost it during some recent updates.  I started receiving spam registrations again and just reinstalled it.  Ihope something like this will be present in the next VM update (1.5 or 2.0?)

Bruce
www.pepper-passion.com
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: ganzziani on August 24, 2011, 01:16:15 am
I've been getting registrations where the Address 1 was the same as the Address 2, I added this and it seems to work
Code: [Select]
if (vmGet($d,'address_1','Address 1' ) == vmGet($d,'address_2','Address 2' )) {
return False;
}
I'm a PHP newbie, can someone confirm that it is correct?
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: stinga on August 25, 2011, 01:41:48 am
G'day,
The check you put in for last name = first name was a good idea, I had the same.
But you have put the check in the bit that the user enters.
The spambots are not using the registration page they are sending data directly to the page that the gui page calls.
You need the check in there as well.
Where you have it to stop real users and in the back to stop the spambot.
I also took the IP address of the of the spambot and added it to my block list so they only get one shot and they are gone for ever.
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: Bruce Morgan on August 25, 2011, 03:16:47 am
Could you explain alittle more explicity where you have added the code?  The more exact you can be the more people it will help. 

Bruce
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: qme1ster on November 25, 2011, 23:04:02 pm
I too would like to know a little more about the your solution Stinga - could you please explain ?
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: stinga on December 01, 2011, 23:44:27 pm
G'day all,

I got that wrong, the code suggested for testing first/last name being the same is in the correct place and will do what is required.

I output to a log file the following...
Code: [Select]
01-12-2011 22:40:55.490:/home/www/recovery-cd-disk.com/administrator/components/com_virtuemart/classes/ps_shopper.php:282:81.142.230.1:Spam registration caught!
I then use a program called sec that I have used for years that tails the log file looking for caught messages and then adds the ipaddress to iptables like...
Code: [Select]
iptables -A OUTPUT -p tcp -d <ipaddress>  -j DROP
This stops the sender from accessing my server for everything, I actually unblock the ipaddress after about 15 minutes, that just stops repeated attempts.
I use this method for everything, from voip to ssh attacks, has worked so far!
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: cncmike on February 19, 2012, 20:59:39 pm
Thank you for this thread.

Implemented this today, appears to being functioning, will see if it works.

Mike in MN
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: harwejb on July 04, 2012, 18:58:29 pm
This seems to work.. I've been searching through the code for a couple of days trying to find the right section.  I had previously implemented the JavaScript check, but like everyone else, the bots were still getting through.

//Added By Dan Yager to prevent SPAM
                   // www.quickheads.com
      if (vmGet($d,'first_name','First Name' ) == vmGet($d,'last_name','Last Name' )) {
         return False;
      }      

Thanks Dan Yager
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: tritek on September 06, 2012, 21:43:05 pm
I have also used a similar fix that I found online somewhere:

Code: [Select]
echo 'if ( form.first_name.value == form.last_name.value ) {alert( \''. str_replace("'","\\'",$VM_LANG->_('REGWARN_BOT',false)) .'\');return false;}';
then just add the warning as the 'REGWARN_BOT' in /languages/common/english.php - in my case i put:

"For Security reasons, Your Firstname cannot be identical to your Lastname, Please change this."

But, I am now getting accounts set up with only one name. So the matching condition is moot. what can be added to this code to also block registration where only a first OR a last name is entered?

Thanks all!
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: ganzziani on November 08, 2012, 06:01:37 am
Some spambots are just filling random data in the fields, so the technique mentioned above is not working anymore.
I am thinking of using the Middle Name field as a bot checker, I will ask the user to leave it blank during the registration.
Also, the smapbots tipycally enter about 6 digits in the phone field, I also want to verify that they enter at least 7 numbers.
I've tried changing the ps_shopper.php file, but I'm not a PHP expert. Can someone help with the code?
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: stinga on November 08, 2012, 13:00:47 pm
If you want a way to block that will work forever....

A bit of backgound...
You are on the registration page filling is data, then you click 'Send registration' it calls a page that actually does the work.
Now, the spam registrations are not using the gui page they are posting the data directly into the shop.

So, if you where to hack the gui code and the add function in ps_shopper.php they you would top them all.
I.E.
Change the name="agreed" to name="agreedxxx" and then check to make sure agreedxxx is filled in, if not silently reject the registration. Don't all used agreedxxx though! :-)

or

You could check the referer, if not your site then reject as well. Not to sure about that one though.
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: timbreese on November 13, 2012, 04:24:20 am
I have had the same problem and I don't have a forum on the site anymore.
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: HelloMcFly on November 23, 2012, 06:22:49 am
Hi all,
I haven't posted here in a while because I had to stop using virtuemart.  (I ended up using IXXOCART for the multi-vendor features) 

I needed to implement a similar "name" = "username" check on the Joomla registration flow once I switched from virtuemart.  You can see my latest post about that on the joomla forums here:

http://forum.joomla.org/viewtopic.php?f=624&t=691707

Just a couple of comments based on the feedback above:

1. Now that I've gained a little more experience in PHP I see that STINGA is right.  You would need to implement the check outside of the GUI, and do the check on the page that actually performs the registration.  This will prevent Hackers/SPAMmers from posting data directly to that page.

2.  A few people above changed the code above so that the error message told the SPAMmers why the registration didn't work.  Then they began getting SPAM registrations with random strings.  As stated earlier, I think it's best that you don't get too descriptive with your error message.  You want humans to be able to register, but you don't want to give SPAMBOTS enough info to circumvent your checks above.  I think an error like "Performing Maintenance" or "Contact Dan" works well!

I may switch back to virtuemart once the multi-vendor features are added, but for now I can't comment on later versions of virtuemart.  I will be more than happy to try and help when possible though.  Thanks for all the great feedback.

Warm regards,
Dan Yager
aka HelloMcFly and Quickheads
;-)



Title: Re: [SOLVED] block SPAM registrations. . .
Post by: mattcowan on August 11, 2013, 05:36:26 am
This thread kept coming up in the search results for when I was trying to solve this same error in VM2, so I figured I would post this here.

To implement this solution in vm2, you are going to want to edit public function store() in administrator/components/com_virtuemart/models/user.php

Add this code:
Code: [Select]
if($data['first_name'] == $data['last_name']) {
vmError('Spam');
$mainframe->enqueueMessage('This triggered the spam filter. If this is preventing you from placing an order, please call customer service.', 'error');
return false;
}
I added it below the check to see if data was empty, near the top of the function, so my file looks like this:
Code: [Select]
if(empty($data)){
vmError('Developer notice, no data to store for user');
return false;
}
//Original Idea By Dan Yager to prevent SPAM, modified by Matt Cowan
                   // Dan Yager = www.quickheads.com
if($data['first_name'] == $data['last_name']) {
vmError('Spam');
$mainframe->enqueueMessage('This triggered the spam filter. If this is preventing you from placing an order, please call customer service.', 'error');
return false;
}
Title: Re: [SOLVED] block SPAM registrations. . .
Post by: rage76 on May 05, 2014, 19:29:08 pm
Dear Mattcowan

Were you able to take care of the spam registrations in Virtuemart with this hack? If yes, can you please guide me through this?

best regards