clientlogin.asp?mode=lostpassword SPAM ATTEMPTS

Author	« Topic »
Makc Starting Member USA 19 Posts	Posted - 03/13/2022 : 13:05:31 I am running ASP version 7.3.8 and someone is running a bot on the /clientlogin.asp?mode=lostpassword page to send hundreds of messages out - they are trying to figure out how to spam using this function. I use O365, and it simply shuts down the ability to send outbound mail when it detects these spam attempts... At this time there is no option to add/use recaptcha on the lostpassword page - is it possible to add it? Please let me know if there is any other way to prevent this from happening. Edited by - Makc on 03/13/2022 13:07:42
Vince Administrator 42756 Posts	Posted - 03/14/2022 : 06:15:11 Hi Makc The Lost Password feature is integrated into the Flood Control system so if a customer has made a request for a lost password they wouldn't be able to do the same again for quite a few minutes. Is the problem that they are sending emails out slowly over a period of days? Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Makc Starting Member USA 19 Posts	Posted - 03/14/2022 : 10:43:36 No, they are trying to send several per minute...
Makc Starting Member USA 19 Posts	Posted - 03/18/2022 : 07:22:39 Vince, any update or a word of advice would be greatly appreciated.
Vince Administrator 42756 Posts	Posted - 03/18/2022 : 16:30:30 Hi Makc I got your email and I asked you if it were possible to see the IP Address of the Lost Password message send attempts but I never heard back from you about that. They seem to be bypassing the Flood Control so I'm just trying to find out how this is happening. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Makc Starting Member USA 19 Posts	Posted - 03/18/2022 : 16:47:17 Somehow your second email did not get to me… I did forward you the original bounce back message, but I believe since it is technically a “click” on the website that triggers the email to be sent by the server, it would be very difficult to find the actual IP address of the predator. Is there a way to somehow add reCAPTCHA, like it is on other areas of the website? That would probably stop it for good. Thx, Max
Vince Administrator 42756 Posts	Posted - 03/19/2022 : 05:04:49 Hi Max It's a good point really so I've added reCAPTCHA to the lost password. It will enable if you have the New Account reCAPTCHA enabled. The changes are in the file... vsadmin/inc/incclientlogin.asp The changes are only in the v7.5 updater but you can use the incclientlogin.asp with v7.4 no problem. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Makc Starting Member USA 19 Posts	Posted - 03/19/2022 : 06:25:15 Thank You, Vince! I upgraded to 7.4.8 and used the vsadmin/inc/incclientlogin.asp file from 7.5.0 updater - everything seems to function properly and the recaptcha on the lostpassword page is displaying!!! Thank You SO MUCH!!!
Vince Administrator 42756 Posts	Posted - 03/20/2022 : 11:38:26 Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
	« Topic »