Post by Cue4cheap » Sun Feb 28, 2021 11:09 am

I have made a simple change to the catalog/controller/information/contact.php form
After: $this->document->setTitle($this->language->get('heading_title'));
add

Code: Select all

$bogus = "0";
$string = "0";
if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array("googlemail", "no-reply", "noreply");
	$matchFound = preg_match_all("/(" . implode("|",$badWords) . ")/i", $string, $matches);
	    //Get host name from email and check if it is valid
	    $email_host = array_slice(explode("@", $string), -1)[0];
	    // Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	    if (!filter_var($email_host,FILTER_VALIDATE_IP, [
	        'flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
	    ])) {
        	//Add a dot to the end of the host name to make a fully qualified domain name
	        // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        	// Then convert to ascii
	        $email_host = idn_to_ascii($email_host.'.');
        	//Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	 if ( (!checkdnsrr($email_host, "MX")) || ($matchFound) ){
// get IP
	    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
	    {
	      $ip=$_SERVER['HTTP_CLIENT_IP'];
	    }
	    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
	    {
	      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
	    }
	    else
	    {
	      $ip=$_SERVER['REMOTE_ADDR'];
	  }
// set bogus
	$bogus = "1";
	        }
		}
}
Then after: if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
add

Code: Select all

if ($bogus != "1") {
and finally after: $mail->send();
close it with

Code: Select all

}
I have a few other things in there that I feel are only good for my use but what this does it allows you to add some "bad words" that you want to not allow AND checks for a valid MX record for the domain they are putting in. If it doesn't have a MX record or has a bad word it will not allow the emails through...
The

Code: Select all

if ($bogus != "1") { 
makes it so they still fill out the form and acts like it is successful but actually doesn't send anything.

Just a quick hack in 2.3.0.2 and using this along with a captcha it has cut my received spam down to almost nothing.

Mike

cue4cheap not cheap quality


Active Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by JNeuhoff » Sun Feb 28, 2021 10:00 pm

Thank you for sharing this with us. The checkdnsrr function comes in quite handy here.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Sun Feb 28, 2021 11:55 pm

Cue4cheap wrote:
Sun Feb 28, 2021 11:09 am
I have made a simple change to the catalog/controller/information/contact.php form
After: $this->document->setTitle($this->language->get('heading_title'));
add

Code: Select all

$bogus = "0";
$string = "0";
if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array("googlemail", "no-reply", "noreply");
	$matchFound = preg_match_all("/(" . implode("|",$badWords) . ")/i", $string, $matches);
	    //Get host name from email and check if it is valid
	    $email_host = array_slice(explode("@", $string), -1)[0];
	    // Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	    if (!filter_var($email_host,FILTER_VALIDATE_IP, [
	        'flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
	    ])) {
        	//Add a dot to the end of the host name to make a fully qualified domain name
	        // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        	// Then convert to ascii
	        $email_host = idn_to_ascii($email_host.'.');
        	//Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	 if ( (!checkdnsrr($email_host, "MX")) || ($matchFound) ){
// get IP
	    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
	    {
	      $ip=$_SERVER['HTTP_CLIENT_IP'];
	    }
	    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
	    {
	      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
	    }
	    else
	    {
	      $ip=$_SERVER['REMOTE_ADDR'];
	  }
// set bogus
	$bogus = "1";
	        }
		}
}
Then after: if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
add

Code: Select all

if ($bogus != "1") {
and finally after: $mail->send();
close it with

Code: Select all

}
I have a few other things in there that I feel are only good for my use but what this does it allows you to add some "bad words" that you want to not allow AND checks for a valid MX record for the domain they are putting in. If it doesn't have a MX record or has a bad word it will not allow the emails through...
The

Code: Select all

if ($bogus != "1") { 
makes it so they still fill out the form and acts like it is successful but actually doesn't send anything.

Just a quick hack in 2.3.0.2 and using this along with a captcha it has cut my received spam down to almost nothing.

Mike
Let's not forget that the system/startup.php already takes care of $_SERVER super globals in the mean time. To ensure to keep it's use, the above codes, for the first BB Code portion, should all be converted to:

Code: Select all

$bogus = '0';
$string = '0';

if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array('googlemail', 'no-reply', 'noreply');	
	$matchFound = preg_match_all('/(' . implode('|', $badWords) . ')/i', $string, $matches);
	
	//Get host name from email and check if it is valid
	$email_host = array_slice(explode('@', $string), -1)[0];
	
	// Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	if (!filter_var($email_host, FILTER_VALIDATE_IP, ['flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE])) {
       	// Add a dot to the end of the host name to make a fully qualified domain name
	    // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        // Then convert to ascii
	    $email_host = idn_to_ascii($email_host . '.');
		
        // Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	    if ((!checkdnsrr($email_host, 'MX')) || ($matchFound)) {
			// get IP
			if (!empty($this->request->server['HTTP_CLIENT_IP'])) { // Check ip from share internet 
				$ip = $this->request->server['HTTP_CLIENT_IP'];
			} elseif (!empty($this->request->server['HTTP_X_FORWARDED_FOR'])) { // To check ip is pass from proxy		
				$ip = $this->request->server['HTTP_X_FORWARDED_FOR'];
			} else {
				$ip = $this->request->server['REMOTE_ADDR'];
			}
			
			// set bogus
			$bogus = '1';
	    }
	}
}

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by JNeuhoff » Mon Mar 01, 2021 12:24 am

Yes, it can be refined. But the basic idea is good. Maybe the opencart.com comments section could apply this technique to stop those daily evil spammers!

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Mon Mar 01, 2021 1:02 am

JNeuhoff wrote:
Mon Mar 01, 2021 12:24 am
Yes, it can be refined. But the basic idea is good. Maybe the opencart.com comments section could apply this technique to stop those daily evil spammers!
It's still user-defined though as opposed to use a service these days.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by kestas » Tue Mar 02, 2021 4:51 am

What about to check the A record if no MX record is listed, as defined in RFC 5321. It is rare, but can be some domains don't have an MX record...
https://stackoverflow.com/questions/197 ... -addresses
https://en.wikipedia.org/wiki/MX_record ... lback_to_A

Custom OpenCart modules and solutions. You can write PM with additional questions... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by Cue4cheap » Tue Mar 02, 2021 5:26 am

kestas wrote:
Tue Mar 02, 2021 4:51 am
What about to check the A record if no MX record is listed, as defined in RFC 5321. It is rare, but can be some domains don't have an MX record...
https://stackoverflow.com/questions/197 ... -addresses
https://en.wikipedia.org/wiki/MX_record ... lback_to_A
Could just do the same check like is done for MX.
https://www.php.net/manual/en/function.checkdnsrr.php

Edit.... I didn't click your links and see I posted the same as you....
Mike

cue4cheap not cheap quality


Active Member

Posts

Joined
Fri Sep 20, 2013 4:45 am
Who is online

Users browsing this forum: No registered users and 4 guests