- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Magento 2.3.0 Massive Spam attack
I just did a complete install of 2.3.0 on Sunday Dec 9. Today I see an email from a Chinese customer, so I go to the admin panel to look at the customer. To my surprise there have been over 2650 email customers all coming from "qq.com". all the email accounts are a 9 numbered account @qq.com
I had guest login at the time, since removed Guest allowed from the site. Also asking for email confirmation and Capta for the site. But they still seem to be spamming the site.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
Hi @Algrium
Is it a fresh installation of Magento 2.3?
Problem Solved Click Accept as Solution!:Magento Community India Forum
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
yes it was a fresh install.
I even tried to do a fresh install of version 2.2.5, got the same thing. I had 80 new customer accounts in a 2 hour period, all from the qq.com website. looks like it is Chinese in origin.
I am not getting any notification email on new accounts. but if i go to "All Customers" The Numbered email accounts show up there.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
Hi.
The following solutions may help you,
Solution 1 : Blocking via IP : each account subscription use a different IP from Colombia to Vietnam...
Solution 2: Blocking via User agent : it can be faked... It works if you want to limit crawlers blots.
Solution 3: Use HoneyPot : may works, but if the bot already focused you, I think it surely knows which fields to post (see: https://magento.stackexchange.com/a/104261/50635)
Solution 4: Captcha (Magento or Google) : may works but some people said it was overpassed
Solution 5: Edit email template and Add the confirmation email :
- Removing input data such as {{var customer.name}}, {{var customer.firstname}} from the /app/locale/[locale]/template/email/account_new.html template can prevent a bit being marked as spam.
- Add the email confirmation : System > Configuration > Customer Configuration > Require Emails Confirmation > Yes
Solution 6: Update fields limitation rules from database : directly in the customer_eav_attribute table, update rows with attribute_id=5 [firstname] and attribute_id=7[lastname] and replace 255 by 25 :
- a:2:{s:15:"max_text_length";i:255;s:15:"min_text_length";i:1;}
- by : a:2:{s:15:"max_text_length";i:25;s:15:"min_text_length";i:1;}
For more info click here
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
Tried them, non worked.
Still getting Spammed from qq.com
Even tried htaccess file:
order deny,allow
deny from 111.161.64.40
deny from 123.125.50.22
deny from 192.151.230.22
deny from 123.58.180.7
deny from qq.com
deny from *@qq.com
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
After playing around with the different versions of Magento 2, I found 2.2.5 to be the most stable for the QQ.COM email spam attacker.
In version 2.2.5 The spammer only shows up as a online visitor and does not create a new customer account automatically.
In versions 2.2.6, 2.2.7, and 2.3.0 the email spammer automatically creates a customer account, bypassing the account login setup, creating the hundreds of customers per hour in the data base. I have tried using IP blockers, but the spam still gets through.
In version 2.2.5 the data base visitor log shows over 750 visitors in about a 2-day period, but nothing shows visibly on the admin side, except who is on line at that time. With the online visitor it does not show any information on the ID, First Name, Last Name or Email columns, only shows Last Activity and Type. Usually 5 – 10 online at a time when I look.
- I think the next version of 2.3.X should have the same method of showing all incoming mail as a visitor and not as a customer that automatically creates the hundreds of customers per hour.
- Have an admin option to manually or automatically purge the visitor database at any time, otherwise the data base would continue to grow unchecked. (Could be purged every hour, once a day, once a week, once a month type options)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
Hi, For the solution you mentioned above. What should i do for Magento 2.2.6? the validate_rules is showing as "{"max_text_length":225,"min_text_length":1}", and there is also an "input_filter": "trim". should i remove "trim", and edit the 225 to 25? i tried it yesterday but the Russian spam still coming through?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Magento 2.3.0 Massive Spam attack
I have tried editing validate_rules 5 and 7 to {"max_text_length":25,"min_text_length":1}.
On a shop running Magento 2.2.1 this works perfectly. However on a different shop running 2.3.4 the rules seem to be completely ignored. It's even possible to make names that are way longer than 255. Does anyone know what could cause this?