Fighting Magento 1 spam (fake) customer registrations

On by

1 minute read

For some time my clients started receiving weird customer registrations. Since I have setup outgoing emails to bounce to my email account I also started receiving Magento Welcome emails for each new customer registrations email address that was outdated (closed email account for eg.).

Zeroth step for protection

I had captcha enabled on all forms (customer registration, guest checkout) but that did’t stop them.

Please check that you have captcha enabled: Admin > System > Configuration > Customers > Customer Configuration > CAPTCHA

  • Change Enable CAPTCHA on Frontend to Yes
  • Multiple select all items on Forms (maybe except Login?)
  • Set Displaying Mode to Always
  • Make sure captcha is displayed on all forms to not break legit customer actions (you can miss captcha in your customer templates if you did’t update templates manually)

How they did it

  • they used Tor to scrape /customer/account/create/ content every 1min and 1sec
  • they forwarded captcha image url to their server (always same IP fetching only captcha image)
  • server would fetch captcha image and do OCR to extract captcha text
  • then they would use Tor again to submit form with their spam message added in name field

How I stopped them (at least for now)

I have noticed in access logs that when they are downloading captcha image they do not send HTTP Referrer header because they are too lazy. So with that information in mind I have created new NGINX rule.

   location /media/captcha/ {
      if ($http_referer = "") {  return 403; }

This is how it loked in Admin > Customer

Magento 1 fake spam customer registrations in Admin

This is a example of spam email send as Welcome email

Magento 1 fake spam customer registration welcome email