Post by Cue4cheap » Sun Feb 28, 2021 11:09 am

I have made a simple change to the catalog/controller/information/contact.php form
After: $this->document->setTitle($this->language->get('heading_title'));
add

Code: Select all

$bogus = "0";
$string = "0";
if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array("googlemail", "no-reply", "noreply");
	$matchFound = preg_match_all("/(" . implode("|",$badWords) . ")/i", $string, $matches);
	    //Get host name from email and check if it is valid
	    $email_host = array_slice(explode("@", $string), -1)[0];
	    // Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	    if (!filter_var($email_host,FILTER_VALIDATE_IP, [
	        'flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
	    ])) {
        	//Add a dot to the end of the host name to make a fully qualified domain name
	        // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        	// Then convert to ascii
	        $email_host = idn_to_ascii($email_host.'.');
        	//Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	 if ( (!checkdnsrr($email_host, "MX")) || ($matchFound) ){
// get IP
	    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
	    {
	      $ip=$_SERVER['HTTP_CLIENT_IP'];
	    }
	    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
	    {
	      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
	    }
	    else
	    {
	      $ip=$_SERVER['REMOTE_ADDR'];
	  }
// set bogus
	$bogus = "1";
	        }
		}
}
Then after: if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
add

Code: Select all

if ($bogus != "1") {
and finally after: $mail->send();
close it with

Code: Select all

}
I have a few other things in there that I feel are only good for my use but what this does it allows you to add some "bad words" that you want to not allow AND checks for a valid MX record for the domain they are putting in. If it doesn't have a MX record or has a bad word it will not allow the emails through...
The

Code: Select all

if ($bogus != "1") { 
makes it so they still fill out the form and acts like it is successful but actually doesn't send anything.

Just a quick hack in 2.3.0.2 and using this along with a captcha it has cut my received spam down to almost nothing.

Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by JNeuhoff » Sun Feb 28, 2021 10:00 pm

Thank you for sharing this with us. The checkdnsrr function comes in quite handy here.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Sun Feb 28, 2021 11:55 pm

Cue4cheap wrote:
Sun Feb 28, 2021 11:09 am
I have made a simple change to the catalog/controller/information/contact.php form
After: $this->document->setTitle($this->language->get('heading_title'));
add

Code: Select all

$bogus = "0";
$string = "0";
if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array("googlemail", "no-reply", "noreply");
	$matchFound = preg_match_all("/(" . implode("|",$badWords) . ")/i", $string, $matches);
	    //Get host name from email and check if it is valid
	    $email_host = array_slice(explode("@", $string), -1)[0];
	    // Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	    if (!filter_var($email_host,FILTER_VALIDATE_IP, [
	        'flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
	    ])) {
        	//Add a dot to the end of the host name to make a fully qualified domain name
	        // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        	// Then convert to ascii
	        $email_host = idn_to_ascii($email_host.'.');
        	//Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	 if ( (!checkdnsrr($email_host, "MX")) || ($matchFound) ){
// get IP
	    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
	    {
	      $ip=$_SERVER['HTTP_CLIENT_IP'];
	    }
	    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
	    {
	      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
	    }
	    else
	    {
	      $ip=$_SERVER['REMOTE_ADDR'];
	  }
// set bogus
	$bogus = "1";
	        }
		}
}
Then after: if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
add

Code: Select all

if ($bogus != "1") {
and finally after: $mail->send();
close it with

Code: Select all

}
I have a few other things in there that I feel are only good for my use but what this does it allows you to add some "bad words" that you want to not allow AND checks for a valid MX record for the domain they are putting in. If it doesn't have a MX record or has a bad word it will not allow the emails through...
The

Code: Select all

if ($bogus != "1") { 
makes it so they still fill out the form and acts like it is successful but actually doesn't send anything.

Just a quick hack in 2.3.0.2 and using this along with a captcha it has cut my received spam down to almost nothing.

Mike
Let's not forget that the system/startup.php already takes care of $_SERVER super globals in the mean time. To ensure to keep it's use, the above codes, for the first BB Code portion, should all be converted to:

Code: Select all

$bogus = '0';
$string = '0';

if (!empty($this->request->post['email'])) {
	$string = $this->request->post['email'];
	$badWords = array('googlemail', 'no-reply', 'noreply');	
	$matchFound = preg_match_all('/(' . implode('|', $badWords) . ')/i', $string, $matches);
	
	//Get host name from email and check if it is valid
	$email_host = array_slice(explode('@', $string), -1)[0];
	
	// Check if valid IP (v4 or v6). If it is we can't do a DNS lookup
	if (!filter_var($email_host, FILTER_VALIDATE_IP, ['flags' => FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE])) {
       	// Add a dot to the end of the host name to make a fully qualified domain name
	    // and get last array element because an escaped @ is allowed in the local part (RFC 5322)
        // Then convert to ascii
	    $email_host = idn_to_ascii($email_host . '.');
		
        // Check for MX pointers in DNS (if there are no MX pointers the domain cannot receive emails)
	    if ((!checkdnsrr($email_host, 'MX')) || ($matchFound)) {
			// get IP
			if (!empty($this->request->server['HTTP_CLIENT_IP'])) { // Check ip from share internet 
				$ip = $this->request->server['HTTP_CLIENT_IP'];
			} elseif (!empty($this->request->server['HTTP_X_FORWARDED_FOR'])) { // To check ip is pass from proxy		
				$ip = $this->request->server['HTTP_X_FORWARDED_FOR'];
			} else {
				$ip = $this->request->server['REMOTE_ADDR'];
			}
			
			// set bogus
			$bogus = '1';
	    }
	}
}

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by JNeuhoff » Mon Mar 01, 2021 12:24 am

Yes, it can be refined. But the basic idea is good. Maybe the opencart.com comments section could apply this technique to stop those daily evil spammers!

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Mon Mar 01, 2021 1:02 am

JNeuhoff wrote:
Mon Mar 01, 2021 12:24 am
Yes, it can be refined. But the basic idea is good. Maybe the opencart.com comments section could apply this technique to stop those daily evil spammers!
It's still user-defined though as opposed to use a service these days.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by kestas » Tue Mar 02, 2021 4:51 am

What about to check the A record if no MX record is listed, as defined in RFC 5321. It is rare, but can be some domains don't have an MX record...
https://stackoverflow.com/questions/197 ... -addresses
https://en.wikipedia.org/wiki/MX_record ... lback_to_A

Custom OpenCart modules and solutions. You can write PM with additional questions... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by Cue4cheap » Tue Mar 02, 2021 5:26 am

kestas wrote:
Tue Mar 02, 2021 4:51 am
What about to check the A record if no MX record is listed, as defined in RFC 5321. It is rare, but can be some domains don't have an MX record...
https://stackoverflow.com/questions/197 ... -addresses
https://en.wikipedia.org/wiki/MX_record ... lback_to_A
Could just do the same check like is done for MX.
https://www.php.net/manual/en/function.checkdnsrr.php

Edit.... I didn't click your links and see I posted the same as you....
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by JNeuhoff » Fri Sep 10, 2021 6:52 pm

Our SpamBot Buster will prevent spam messages via the Contact Us form, and it will also prevent fake account registrations.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Asepius » Wed Jan 11, 2023 3:28 am

Hi, I have version Version 4.0.1.1 but I don't have if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) { in my contact.php. Will it still work? Is there an update for version 4.0.1.1?

Update - I tried with just the first set of code and it doesn't work in 4.0.1.1

Newbie

Posts

Joined
Mon Sep 26, 2022 12:47 am
Who is online

Users browsing this forum: Ahrefs [Bot] and 19 guests