Development

Fake Registrations

Last weekend, I’ve been approached that there were fake registrations on CheckIn.com, causing fraud-reports and RBL-listings (causing reject of mails from this server) and if I could help.

Google reCaptcha

The first idea mentioned in the fraud inquiry was Google reCaptcha. But that was already in the form without impact to those kind of fraudulent registration attempts. Looking now into the reasoning for that, it made sense. Google reCaptcha is implemented as JavaScript. But programmed spam-(ro)bots usually don’t bother about JavaScript… Well… Thinking about it, Google reCaptcha makes no logical sense to keep spam-bots from flooding registration forms.

Honeypot

Researching fake registrations on the web, I found this being a quite common problem. And I found a very easy idea. For the registration form I added a CSS class “pot” that simply hides the respective field:

.hnypot { display:none;visibility:hidden; }

Then I added a form field

<div class="hnypot"><input type="text" name="hnypotname" placeholder="pls ignore" /></div>

that is hidden. In case of valid screen-readers, I added the note to ignore it. Something the spam-bots usually ignore, just as they ignore JavaScript or CSS.

Instead of hnypotname I used language as the field name which on the site is irrelevant, makes sense to a bot and is not part of usual “autofill”-information saved by users in their browser. You may name this to your liking.

The PHP-Code

Then, in the registration process, I added a simply check, if that “invisible field” contains any information entered by the spambot. As they don’t check CSS or JavaScript, they don’t recognize the value is hidden and fill out “something” in the field. If the field is not empty, it’s considered a spambot. The registration process is disrupted, the information sent to the server admin to check in case of “false positives”. In PHP it looks like this

if ($_POST[language]!='') { // honeypot!
$mail_recipient = 'HoneyPot Check <honeypot@ourserver.com>' . "\r\n";
$mail_subject = 'Honeypot ' . htmlentities($_POST['userfirstname']) . ' ' . htmlentities($_POST['userlastname']) . ' <' . htmlentities($_POST['email']) . '>' . "\r\n";
$mail_header = 'From: OurServer Registration Contact <sender@ourserver.com>' . "\r\n";
$mail_body = 'Honeypot triggered by' . htmlentities($_POST['userfirstname']) . ' ' . htmlentities($_POST['userlastname']) . ' <' . htmlentities($_POST['email']) . '>' . "\r\n";
$mail_body .= 'Honeypot: ' . htmlentities($_POST['language']) . "\r\n";
$mail_body .= 'Firstname: ' . htmlentities($_POST['userfirstname']) . "\r\n";
$mail_body .= 'LastName: ' . htmlentities($_POST['userlastname']) . "\r\n";
$mail_body .= 'Company: ' . htmlentities($_POST['company']) . "\r\n";
$mail_body .= 'Phone: ' . htmlentities($_POST['phone']) . "\r\n";
$mail_body .= 'Mail: ' . htmlentities($_POST['mail']) . "\r\n";
$mail_body .= 'User IP : ' . $_SERVER['REMOTE_ADDR'] . "\r\n";
$mail_body .= 'UserHost: ' . $_SERVER['REMOTE_HOST'] . "\r\n";
$mail_body .= 'Browser : ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n";
$mail_body .= 'Rem.User: ' . $_SERVER['REMOTE_USER'] . "\r\n";

mail($mail_recipient, $mail_subject, $mail_body, $mail_header);
header("Location: "); exit; // redirect to an error or the homepage.

Triggered Mail

Now this triggered quite nicely, for example this mail incoming.

Honeypot triggered byGhBsqifM fDEeKOUIoCBvXHV <ujjwalsancheti@live.com>
Honeypot: nrEsDbtSQw
Firstname: GhBsqifM
LastName: fDEeKOUIoCBvXHV
Company: TnVPoeMKzlabiFUf
Phone: 8591910032
Mail: ujjwalsancheti@live.com
User IP : 186.226.11.120
UserHost:
Browser : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Rem.User:

I decided to post this here, possibly helping some of my readers on their own websites.

Sanitation

There is usually the question on how to “sanitize” incoming form data and there is more sanitation done on the registration, but for the mail htmlentities is safe enough and too much sanitation at this point complicates the following analysis. And within the short time this is active, there have already been cases where the spammers/scammers/hackers tried to inject code into the forms to hack the site. Proper sanitation of forms is vital.

As I had some trouble finding code for this use-case I decided to post this here, possibly helping some of my readers on their own websites.

0

Leave a Reply

Your email address will not be published. Required fields are marked *