Magento 2 Spam User Protection and Core Security Vulnerability
This extension protects the Magento 2 store from the cryptical core EAV spam vulnerabilities!
A friend of mine made several millions of đ” sending spam using Adobe Magento 2 security hole. This extension 100% blocks such kind of spam.
According to AWS RDS Performance insight insert spam users most called SQL query.
INSERT INTO `customer_grid_flat` (`entity_id`,`name`,`email`,`group_id`,`created_at`,`website_id`,`confirmation`,`created_in`,`dob`,`gender`,`taxvat`,`lock_expires`,`shipping_full`,`billing_full`,`billing_firstname`,`billing_lastname`,`billing_telephone`,`billing_postcode`,`billing_country_id`,`billing_region`,`billing_street`,`billing_city`,`billing_fax`,`billing_vat_id`,`billing_company`) VALUES (â233528â, âç§8 http://aaa.Long114.ru æłšć逞88â8ć°ć«ïŒæ»ĄçŸè«çȘŸæ è
æ°Ž sadadâ, â13471338799@163.comâ, â1â, â2019â05â30 23:26:59â, â1â, NULL, âDefault Store Viewâ,âŠ)PS: My friend asked me not to publish this extension but here it is! Everything for merchants who are constantly struggling with Magento bugs and issues. ! No pasarĂĄn!
The problem that injection is direct to API. Not frontend registration form. Magento API has no captcha protection.
Magento 2 Rest API is public and doesn't have any protectionâŠ.
https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Customer/etc/webapi.xml#L128
<route url="/V1/customers" method="POST">
<service class="Magento\Customer\Api\AccountManagementInterface" method="createAccount"/>
<resources>
<resource ref="anonymous"/>
</resources>
</route>
The idea is to block user registration with long names and websites in the names. Somethings like validation. It doesnât block bots themselves. When bots canât register on your site they will lot send requests anymore. Spammers use Magento SMTP servers to send spam in user Names. Because of Magento EAV realization of the user entity, it doesnât have proper validation and the name can be 256 characters long. Pretty enough for a spam message.
Spam Users Filter Magento 2 extension
https://github.com/Genaker/SpamUsersFilter
Adds fields limitation rules for Customer attributes. By default it is 256 and spammers can send spam messages also it checks if the attribute has URLs.
Bots automatically create customer accounts, but the email addresses used are not wrong. In recent cases, there were mostly e-mail accounts from @ mail.ru, @ gmail.ru, @inbox.ru, @ Bk.ru, @ List.ru, @ qq.com and other Russian mail hosting. Generally, there probably most of the mail addresses and thus available after login in the respective shop a confirmation email from that = it, therefore, be true emails from a real shop (-sender) sent to real people. That would be so intent 1. Now the question âWhy? Itâs just a normal sign-up confirmation emailâŠâ. Ja, BUT it is the bots use for their âadvertising messageâ the customer name. The main idea of the spammers to use your email server to send spam emails.
Spam registrations are a result of bots all over the internet, trying to exploit your store and harm your business. The fake signup process uses the fake email address or the real Email IDs without the knowledge of the owners. Such activity harms your email marketing campaign. The email addresses used in registration or newsletter subscriptions receive undesirable newsletters. Your store may be marked spam due to such unwanted emails and if done on large scale, Gmail may blacklist you, hence your newsletter will not be delivered to subscribers.
Spambots and bogus registration can complete significantly more harm to your site and your picture than you can envision.
Spammers can successfully get into your site among which fake/spam registration is the most utilized technique. Whatâs more, with this Magento 2 extension, you can confine fake/spam clients just as fake clients by blockade their registration through various proven tricks and keep your store protected and secure from them. It helps to avoid Russian and Chinese customer/users registration spam by programmatically validation.
Improve the Magento store working by limiting bots and keeping away from customer registration spam with Magento 2 restrict fake registration extension. Upgrade client involvement with improved store wellbeing!
How it works
Check some logic before creating a user account
public function beforeCreateAccount(
\Magento\Customer\Model\AccountManagement $subject,
$customer
)
{
$regexp = '/(?:(?:https?|ftp|file):\/\/|www\.|ftp\.)(?:\([-A-Z0-9+&@#\/%=~_|$?!:,.]*\)|[-A-Z0-9+&@#\/%=~_|$?!:,.])*(?:\.[A-Z0-9]{1,})\.?/im';
$firstName = $customer->getFirstname();
$lastName = $customer->getLastname(); if (strlen($firstName) > 70 || strlen($lastName) > 70) {
throw new \Exception(__("Name is to long"));
} elseif (preg_match($regexp, $lastName . $firstName)) {
throw new LocalizedException(__("Site name doesn't allowed"));
}
}
This approach is basically applied fr any spam issues not only for user creation. Magento 2 has critical validation vulnerability â lack of validation because of legacy data EAV DB structure. The normal application starts with business logic and DB validation Magento starts with EAV without any validation.
To limit spam clients, this Magento 2 extension enables you to empower its capacity to protect against fake sign-ups from standard registration form/page.
This Extension allows you to enable Magento EAV validation to stop/restrict spambots, Validation are magnificent because they donât bother clients like a captcha and they are a legitimate tool for upsetting spambots. Fundamentally, a spambot fills in a field that legitimate clients canât see, cautioning us to their action.
Installation
cd [magento root dir]/app/code/git clone https://github.com/Genaker/SpamUsersFilter.gitmv SpamUsersFilter/* . rm -rf SpamUsersFilter cd ../..php bin/magento setup:static-content:deploy â keep-generated php bin/magento setup:di:compile
If you can contribute to this project please do it
