Magento 2 Spam User Protection and Core Security Vulnerability

This extension protects the Magento 2 store from the cryptical core EAV spam vulnerabilities!

A friend of mine made several millions of 💵 sending spam using Adobe Magento 2 security hole. This extension 100% blocks such kind of spam.

According to AWS RDS Performance insight insert spam users most called SQL query.

INSERT INTO `customer_grid_flat` (`entity_id`,`name`,`email`,`group_id`,`created_at`,`website_id`,`confirmation`,`created_in`,`dob`,`gender`,`taxvat`,`lock_expires`,`shipping_full`,`billing_full`,`billing_firstname`,`billing_lastname`,`billing_telephone`,`billing_postcode`,`billing_country_id`,`billing_region`,`billing_street`,`billing_city`,`billing_fax`,`billing_vat_id`,`billing_company`) VALUES (‘233528’, ‘瀧8 注册餸88–8埰唫,满百諟窾无蓅水 sadad’, ‘’, ‘1’, ‘2019–05–30 23:26:59’, ‘1’, NULL, ‘Default Store View’,…)

PS: My friend asked me not to publish this extension but here it is! Everything for merchants who are constantly struggling with Magento bugs and issues. ! No pasarán !

The problem that injection is directly to API. Not frontend registration form. Magento API has no captcha protection.

Magento 2 Rest API is public and doesn't have any protection….

<route url="/V1/customers" method="POST">
<service class="Magento\Customer\Api\AccountManagementInterface" method="createAccount"/>
<resource ref="anonymous"/>
Image for post
Image for post
Magento Spam Security

The idea is to block user registration with long names and websites in the names. Somethings like validation. It doesn’t block bots itself. When bots can’t register on your site they will lot send requests anymore. Spammers use Magento SMTP servers to send spam in user Names. Because of Magento EAV realization of user entity it doesn’t have proper validation and name can be 256 characters long. Pretty enough for a spam message.

Spam Users Filter Magento 2 extension

Adds fields limitation rules for Customer attributes. By default it is 256 and spammers can send spam messages also it checks if the attribute has URLs.

Bots automatically create customer accounts, but the email addresses used are not wrong. In recent cases, there were mostly e-mail accounts from @, @,, @, @, @ and other Russian mail hosting. Generally, there probably most of the mail addresses and thus available after login in the respective shop a confirmation email from that = it, therefore, be true emails from a real shop (-sender) sent to real people. That would be so intent 1. Now the question “Why? It’s just a normal sign-up confirmation email…”. Ja, BUT it is the bots use for their “advertising message” the customer name. The main idea of the spammers to use your email server to send spam emails.

Spam registrations are a result of bots all over the internet, trying to exploit your store and harm your business. The fake signup process uses the fake email address or the real Email IDs without the knowledge of the owners. Such activity harms your email marketing campaign. The email addresses used in registration or newsletter subscriptions receive undesirable newsletters. Your store may be marked spam due to such unwanted emails and if done on large scale, Gmail may blacklist you, hence your newsletter will not be delivered to subscribers.

Spambots and bogus registration can complete significantly more harm to your site and your picture than you can envision.

Spammers can successfully get into your site among which fake/spam registration is the most utilized technique. What’s more, with this Magento 2 extension, you can confine fake/spam clients just as fake clients by blockade their registration through various proven tricks and keep your store protected and secure from them. It helps to avoid Russian and Chinese customer/users registration spam by programmatically validation.

Improve the Magento store working by limiting bots and keeping away from customer registration spam with Magento 2 restrict fake registration extension. Upgrade client involvement with improved store wellbeing!

How it works

Check some logic before creating a user account

public function beforeCreateAccount(
\Magento\Customer\Model\AccountManagement $subject,
$regexp = '/(?:(?:https?|ftp|file):\/\/|www\.|ftp\.)(?:\([-A-Z0-9+&@#\/%=~_|$?!:,.]*\)|[-A-Z0-9+&@#\/%=~_|$?!:,.])*(?:\.[A-Z0-9]{1,})\.?/im';
$firstName = $customer->getFirstname();
$lastName = $customer->getLastname();
if (strlen($firstName) > 70 || strlen($lastName) > 70) {
throw new \Exception(__("Name is to long"));
} elseif (preg_match($regexp, $lastName . $firstName)) {
throw new LocalizedException(__("Site name doesn't allowed"));

This approach is basically applied fr any spam issues not only for user creation. Magento 2 has critical validation vulnerability — lack of validation because of legacy data EAV DB structure. The normal application starts with business logic and DB validation Magento starts with EAV without any validation.

To limit spam clients, this Magento 2 extension enables you to empower its capacity to protect against fake sign-ups from standard registration form/page.

This Extension allows you to enable Magento EAV validation to stop/restrict spambots, Validation are magnificent because they don’t bother clients like a captcha and they are a legitimate tool for upsetting spambots. Fundamentally, a spambot fills in a field that legitimate clients can’t see, cautioning us to their action.


cd [magento root dir]/app/code/git clone SpamUsersFilter/* . rm -rf SpamUsersFilter cd ../..php bin/magento setup:static-content:deploy — keep-generated php bin/magento setup:di:compile

If you can contribute to this project please do it

Written by

Magento/APP Cloud Architect. Melting metal server infrastructure into cloud solutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store