Shopify Spam Customer Accounts with Real Email Addresses

Solved
Highlighted
Tourist
6 0 0

for me at least,  I was confused as to where the spam accounts were coming from - I don't look at that accounts creation point at all - only forms. 

 

So, when I was directed by support to google to add code etc, I just asked for a Shopify side solution, and then the Captcha2 was added. (We're small, we don't code..)

 

Support implemented it on their side straight away.

 

I do think Captcha2 with clicking all those pictures is a friction too far, and have been told Captcha3 requires us to code

 

We'll leave account set up on the page to see if it works in stopping the bots, but will likely just remove it.

 

 

 

0 Likes
Highlighted
Tourist
8 0 8

I was in a chat with support and showed them a screenshot of this thread where other people had said support had simply enabled the feature on the backend and it worked for them. Took no time at all and it immediately showed up on my create account page when I went there to verify.

2 Likes
Highlighted
Shopify Partner
38 0 4

Hi, we recieved yesterday a email rejected from Gmail.

I think this is a very very very BIG problem for SHOPIFY. For us...yes, but much bigger for shopify.

See this email:

>
> This is the mail system at host smtp.shopify.com.
>
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to postmaster.
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
>                    The mail system
>
> <alejandrolbarajas@gmail.com>: host
>     alt1.gmail-smtp-in.l.google.com[64.233.186.26] said: 550-5.2.1 The user you
>     are trying to contact is receiving mail at a rate that 550-5.2.1 prevents
>     additional messages from being delivered. For more 550-5.2.1 information,
>     please visit 550 5.2.1
>     https://support.google.com/mail/?p=ReceivingRatePerm g8si4639065plp.367 -
>     gsmtp (in reply to RCPT TO command)
>
> Reporting-MTA: dns; smtp.shopify.com
> X-Postfix-Queue-ID: 95B05C29E1
> X-Postfix-Sender: rfc822; XXXXXXXXXXXXXXXXXXX
> Arrival-Date: Sat, 14 Dec 2019 02:52:27 +0000 (UTC)
>
> Final-Recipient: rfc822; alejandrolbarajas@gmail.com
> Original-Recipient: rfc822;alejandrolbarajas@gmail.com
> Action: failed
> Status: 5.2.1
> Remote-MTA: dns; alt1.gmail-smtp-in.l.google.com
> Diagnostic-Code: smtp; 550-5.2.1 The user you are trying to contact is
>     receiving mail at a rate that 550-5.2.1 prevents additional messages from
>     being delivered. For more 550-5.2.1 information, please visit 550 5.2.1
>     https://support.google.com/mail/?p=ReceivingRatePerm g8si4639065plp.367 -
>     gsmtp

As you can see, google is saying that they are "receiving mail at a rate that .....". The mail "alejandrolbarajas@gmail.com" belongs to a fake customer account, so probably, smtp.shopify.com is trying to send the "new account" notification.

Gmail will BAN shopify, so also WE WILL BE BANNED.

 

Shopify's staff, you have a very big problem, and have to solve this for all of us.

 

Hope your answer here.

 

Thanks.

1 Like
Highlighted
Excursionist
16 0 4

I’ve gone through all 32 pages of this post as I’m experiencing the same issue. For those of you who had Shopify add a captcha to your customer account page, IS the checkbox visible on your form page? I thought I read on a few posts that you could see the checkbox on the page.

 

Shopify told me they added a captcha to my customer account page, but I do not see it. Then support told me that a captcha would be served whenever more than 1 account is created from the same IP within 24 hours, or if there are 5 failed login attempts in 24 hours. That makes it sounds like a captcha only gets served if needed? I tested multiple signups & failed logins, yet I never saw a captcha even then. I’m so confused.

0 Likes
Highlighted
Shopify Partner
37 0 4
For me is on the second page of the account creation process.
One write first name, 2nd name, email and pass. Than click submit and the page with captcha is loaded.

Shopify support told me the 24h thing only for the newsletter subscription field...

I should add that since captcha installation 3 days ago I dont see any new spam account
1 Like
Highlighted
Excursionist
16 0 4

@quadri Thanks for confirming how yours works. Well I guess it's just not working for my website. I tested 5 different emails I have & didn't see the captcha after submitting. And for 4 of the emails, I didn't get an email asking me to activate my account, I just got emails saying my account had already been activated. Weird. I just heard back from support again though & they are getting in touch with the technical team because they say captcha has been successfully added to my account. I have a 3rd-party theme, not one through Shopify. So I was wondering if this would be an issue or not for me.

0 Likes
Highlighted
Shopify Partner
37 0 4
I have a 3rd party theme too.
Maybe you can ask your theme developer about your issues.
0 Likes
Highlighted
Trailblazer
217 1 38

Just fyi, I haven't asked for a Captcha but if I try to enter a second email address into my newsletter sign up, right after the first, I get a Captcha. However, it is my understanding that this is a default feature and it did not stop me from getting spam bot sign ups in the past. 

 

(I'm using Minimal theme)

0 Likes
Highlighted
Tourist
6 0 1

I added the app Shop Protector, and my fake customers stopped, but I am still getting bogus blog comments. I figure this is just as serious, as I believe Shopify has an auto response to these too, e.g. Thanks for your comment which is awaiting moderation etc. Shop Protector say they do not currently protect against spam blog comments although this is in development. Therefore, I can't see the point of having Shop Protector at the moment. I think I will have to get Shopify to add the Recapcha to account sign ups, and sadly temporarily disable blog comments, which seems to defeat half the purpose of having a blog.

0 Likes
Highlighted
Excursionist
16 0 4

I was hesitant to install Shop Protector based on another thread that mentioned the app using tracking codes that harvested customer data that was then sold. 

 

I get a ton of spam blog comments too, but they all get filtered out as spam & do not get published thankfully. I have my blog set to auto-publish comments, but I do review comments every day still just to be safe. I delete unpublished spam to keep the backend tidy. I don't think there's an auto-email reply for blog comments. At least there isn't for my website/theme.

 

1 Like