#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    127
    Rep Power
    12

    Tired of fake accounts with hotmail, match name with address help


    Hi,

    I made a start of this code but i need some help.
    We're getting tired of frauds trying to make a buck with fake accounts.

    What we want to do is block people using the following sort of method:
    Their names are normal, like "John James", with an email like "bigman23454@hotmail..."

    These accounts are flagged immediately, but i want to prevent them for becoming as member at all. Nothing good comes of these people.

    I have this:

    PHP Code:
    $fname "pp";
    $lname "gtr";
    $email "pp123435@hotmail.com";

    echo (
    preg_match("/^([$fname\._-|$lname\._-])*@([hotmail])+([a-zA-Z0-9\._-]+)+$/"$email)==TRUE)?"Good":"Bad"
    Tried this line too:
    PHP Code:
    echo (preg_match("/^([$fname\._-])+([$lname\._-])*@([hotmail])+([a-zA-Z0-9\._-]+)+$/"$email)==TRUE)?"Good":"Bad"

    It does not work 100%. It does some, but not right;-)

    Please help.



    Paul.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    filtering a specific email pattern makes no sense to me, since this will also block legitimate users.

    Are those "people" you want to get rid of actual people or bots? Because most bots are pretty stupid and can be detected easily by using hidden fields. I also had a problem with massive fake registrations in my forum and could fight them off completely just by making the standard phpbb registration fields hidden. If a user still fills out the fields, it's obviously a bot. The great thing about this is that legitimate users aren't bothered at all (in contrast to captchas).
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    127
    Rep Power
    12
    Its actually a precaution for 'real' cheaters i guess. No bots.
    We own a cashback program, these people register and find the stores where they can get most money back, then go to that store and try to fake orders. We have already been canned by 4 stores due to these people that tried to cheat their way into getting cashback.

    What works for now, is the following:
    if (!(preg_match("/($fname|$lname)/i", $email)==TRUE) && (preg_match("/(\@hotmail)/i", $email)==TRUE))
    {
    echo "Not OK";
    }
    else
    {
    echo "OK";
    }
    However i do of course agree with you on all counts, we just have to make it work, somehow.

    I do know however that real, honest people use real, normal emailadresses. If the small % of people that use these weird hotmail addresses get halted by this method, i do present them with a nice note explaining why. I am sure they will not be offended.

    Any other method is welcome.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    127
    Rep Power
    12
    What i am wondering though is, where do all these people come from. They outnumber the amount of real members at this time (this week only). Our stats show no referrers so it is hard to pinpoint where they come from. A dead giveaway is the different IP's they use, which we DO keep track of.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I'd still try hidden fields, because I can hardly believe that those frauds actually fill out the registration fields by hand. The registration is probably done by bots and only the orders by actual people (if at all).

    Apart from that, there's no technical solution for this problem. If those people aren't completely braindead, they'll soon figure out that you have blacklisted hotmail addresses, and they'll simply switch to gmail or whatever.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    127
    Rep Power
    12
    Originally Posted by Jacques1
    I'd still try hidden fields, because I can hardly believe that those frauds actually fill out the registration fields by hand. The registration is probably done by bots and only the orders by actual people (if at all).

    Apart from that, there's no technical solution for this problem. If those people aren't completely braindead, they'll soon figure out that you have blacklisted hotmail addresses, and they'll simply switch to gmail or whatever.
    They already tried with gmail, mail15, rocketmail. All added to my routine and registrations stopped immediately after that. For now;-)
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    2
    Rep Power
    0
    Did you ever find a more elegant solution or have results on this one? We're having the same issue with our android app.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by chouchoo
    Did you ever find a more elegant solution or have results on this one? We're having the same issue with our android app.
    Please read the whole dicussion.

    You cannot stop humans from registering at a public website. If you block a certain freemailer, the bad guys will simply switch to another one. At the same time, you'll lose many legitimate users, because those usually don't have hundreds of email accounts to choose from.

    What you need to do is fix your application and make it fit for real life. A registration can be done by anyone at any time as often as they want, so if you put any weight on this, you're doing it wrong.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,015
    Rep Power
    376
    why dont you have a "link" sent to the email account so that person cannot use the site until he/she actually clicks on that link. if it is a fake email address, that email wont go anywhere
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    2
    Rep Power
    0
    Originally Posted by Jacques1
    Please read the whole dicussion.

    You cannot stop humans from registering at a public website. If you block a certain freemailer, the bad guys will simply switch to another one. At the same time, you'll lose many legitimate users, because those usually don't have hundreds of email accounts to choose from.

    What you need to do is fix your application and make it fit for real life. A registration can be done by anyone at any time as often as they want, so if you put any weight on this, you're doing it wrong.
    Jacques, one major difference for ours is that we automate the creation of an account on our Android app using a device UID so we can keep track of their stuff server side. They have to register later when they want to do more actions. The problem is that the spoofed devices are creating fraud for our advertisers since they aren't real devices and can still use the app prior to registration

    We need a better way to detect spoofed device and then allow/disable use of the app from the start, not really a registration issue for us.

IMN logo majestic logo threadwatch logo seochat tools logo