Grab IP addresses of review spammers

For Articles relating to more than one ISC version
Tony Barnes
Posts: 744
Joined: Thu Jun 18, 2009 8:59 am

Grab IP addresses of review spammers

Post by Tony Barnes »

Really quick one, we've been getting a lot of review spam of late, don't want to use CAPTCHA, so I'm just blocking the IP addresses of any spammers in our .htaccess. Anyway, current system doesn't record the IP of review posters, this quick bit of code changes that.

Open /includes/classes/class.review.php, look for:

Code: Select all

		// Save the review in the database
		$newReview = array(
			"revproductid" => (int)$reviewPostData['product_id'],
			"revfromname" => $reviewPostData['revfromname'],
			"revdate" => time(),
			"revrating" => max(1, min(5, $reviewPostData['revrating'])),
			"revtext" => $reviewPostData['revtext'],
			"revtitle" => $reviewPostData['revtitle'],
			"revstatus" => $status
		);
Change to:

Code: Select all

		// Save the review in the database
		$newReview = array(
			"revproductid" => (int)$reviewPostData['product_id'],
			"revfromname" => $reviewPostData['revfromname'],
			"revdate" => time(),
			"revrating" => max(1, min(5, $reviewPostData['revrating'])),
			"revtext" => $reviewPostData['revtext'],
			"revtitle" => $reviewPostData['revtitle'],
			"revstatus" => $status,
			"reviewip" => getIp()
		);
Then in your database, alter the isc_reviews table to include a column called 'reviewip'. You can now check who is spamming you before deleting their nonsense and banning them from accessing your site.

Martin
Site Admin
Site Admin
Posts: 1854
Joined: Wed Jun 17, 2009 6:30 pm
Location: South Yorkshire UK
Contact:

Re: Grab IP addresses of review spammers

Post by Martin »

Just to note I've found the akismet mod I developed has kept most of that rubbish at bay considerably better than any Captcha...

Not 100% but still... useful...

Tony Barnes
Posts: 744
Joined: Thu Jun 18, 2009 8:59 am

Re: Grab IP addresses of review spammers

Post by Tony Barnes »

Never saw that one i don't think/recall??

Martin
Site Admin
Site Admin
Posts: 1854
Joined: Wed Jun 17, 2009 6:30 pm
Location: South Yorkshire UK
Contact:

Re: Grab IP addresses of review spammers

Post by Martin »

viewtopic.php?f=12&t=1223#p5340

I think I tweaked it a bit further and required the user to be logged in before they could leave a review and that resolved the last posts rant issue.

CharlieFoxtrot
Confirmed
Confirmed
Posts: 413
Joined: Sun Aug 09, 2009 1:23 pm

Re: Grab IP addresses of review spammers

Post by CharlieFoxtrot »

Martin wrote:viewtopic.php?f=12&t=1223#p5340

I think I tweaked it a bit further and required the user to be logged in before they could leave a review and that resolved the last posts rant issue.
Yep... that's what I did. With a small *twit*.

If the user is not logged in, the review form is hidden... but the form itself (and the form action) was still present in the HTML source. This allowed determined spammers to still access and submit reviews.

In response, I edited the template so that the form action needed to be inserted via a global variable. When a customer was logged-in, the correct URL for the submit-action was inserted into the form tag (for the visible form).

When not logged in the HIDDEN (but still accessible) form included a legitimate looking (but bogus) submit-action URL. If someone took the time to try and submit without being logged in (using the bogus url) they would simply receive a 404 error... and hopefully become discouraged enough to move on to another site.

This was my quick-and-easy fix... and it seems to have stopped the problem. (For now.)
ISC 4.0.7

"... and let's be honest that whole "by design" thing is getting old too."

rsg
Posts: 7
Joined: Sat Nov 10, 2012 10:56 pm
Location: London

Re: Grab IP addresses of review spammers

Post by rsg »

Martin wrote:viewtopic.php?f=12&t=1223#p5340

I think I tweaked it a bit further and required the user to be logged in before they could leave a review and that resolved the last posts rant issue.
Any chance you could explain how to force users to login before leaving a review?

Martin
Site Admin
Site Admin
Posts: 1854
Joined: Wed Jun 17, 2009 6:30 pm
Location: South Yorkshire UK
Contact:

Re: Grab IP addresses of review spammers

Post by Martin »

There's a function CustomerIsSignedIn()

...you can use that in the akismet modification...

I can't remember how it can all be coded in but it's a useful function to call...

CharlieFoxtrot
Confirmed
Confirmed
Posts: 413
Joined: Sun Aug 09, 2009 1:23 pm

Re: Grab IP addresses of review spammers

Post by CharlieFoxtrot »

Martin wrote:There's a function CustomerIsSignedIn()

...you can use that in the akismet modification...

I can't remember how it can all be coded in but it's a useful function to call...
That's the function that I used to modify my review form.

Here's a basic overview of what I did... but keep in mind that this is a quick reply and I'm NOT looking at my actual code. It's just a "concept-reply" and unless I get back to this later, I'll leave it to you to work out the details.

$loggedIn = "false"; // Initialize value
$GLOBALS['ReviewPostUrl'] = "" ; // Or some fake destination

$loggedIn = CustomerIsSignedIn(); // Is the customer logged in
if ($loggedIn == "true") {
$GLOBALS['ReviewPostUrl'] = "/real/address/for/formsubmit.php";
// you can also do other stuff here to hide the form submit button...
// or display an error message telling customer to log in.
// but even if you merely use a "display: none;" on the form, clever
// spammers can still submit to your formhandler.php (if they know its actual name)
// So, by inserting a dummy-name (or no name) for the formhandler
// you make it a little more difficult.
}


NEXT: The form template should be modified so that the post value is "%%GLOBAL_ReviewPostUrl%%

When a customer is logged in... the correct post value has been inserted into the form. For all others, there is NO destination (or a fake one) and you will eliminate spam from those who don't want to take the time to create an account.

Good luck.
ISC 4.0.7

"... and let's be honest that whole "by design" thing is getting old too."

rsg
Posts: 7
Joined: Sat Nov 10, 2012 10:56 pm
Location: London

Re: Grab IP addresses of review spammers

Post by rsg »

Much appreciate the quick replies, I'll have a play and see what I can come up with! ;)

rsg
Posts: 7
Joined: Sat Nov 10, 2012 10:56 pm
Location: London

Re: Grab IP addresses of review spammers

Post by rsg »

CharlieFoxtrot wrote:
Martin wrote:There's a function CustomerIsSignedIn()

...you can use that in the akismet modification...

I can't remember how it can all be coded in but it's a useful function to call...
That's the function that I used to modify my review form.

Here's a basic overview of what I did... but keep in mind that this is a quick reply and I'm NOT looking at my actual code. It's just a "concept-reply" and unless I get back to this later, I'll leave it to you to work out the details.

$loggedIn = "false"; // Initialize value
$GLOBALS['ReviewPostUrl'] = "" ; // Or some fake destination

$loggedIn = CustomerIsSignedIn(); // Is the customer logged in
if ($loggedIn == "true") {
$GLOBALS['ReviewPostUrl'] = "/real/address/for/formsubmit.php";
// you can also do other stuff here to hide the form submit button...
// or display an error message telling customer to log in.
// but even if you merely use a "display: none;" on the form, clever
// spammers can still submit to your formhandler.php (if they know its actual name)
// So, by inserting a dummy-name (or no name) for the formhandler
// you make it a little more difficult.
}


NEXT: The form template should be modified so that the post value is "%%GLOBAL_ReviewPostUrl%%

When a customer is logged in... the correct post value has been inserted into the form. For all others, there is NO destination (or a fake one) and you will eliminate spam from those who don't want to take the time to create an account.

Good luck.
OK, I've wrapped my head around how this works, but I'm unsure where to place this code. I've tried adding it to javascript and php files but no luck.

I'm very much a front-end designer, so my PHP/Javascripting is very limited.

What I was thinking is to declare a function in common.js that will be called on from the onclick="" when you click the 'Write a Review' button. This would replace the function which is currently called upon there (show_product_review_form();).

Something like this:

Code: Select all

function review_login() 	{
	$loggedIn = CustomerIsSignedIn(); // Is the customer logged in
	if (!CustomerIsSignedIn() == "true") { 
		show_product_review_form();  //call the function to display the review form
	} else {
		document.location.href = "../login.php"; //redirect user to the login page
	}
}
Wishful thinking or is this possible?

Any further help is greatly appreciated.

Post Reply