I am having the same issue with my site... same John Smith and same address... I have previously seen similar activity on a scale of a few carts a month and spread out over the course of a month, but never like this. They have been at it on my site for the past month or more now. Were you able to find any info or solutions to blocking or stopping this activity? Thank you in advance.
I don't have your particular issue, but I was eventually able to fix our bot issues by myself.
For your case, I have a few different proposed solutions:
1. Install an ip-blocker app that also tracks IP's. We used "Traffic Guard" ($19/mo) which both tracks IP's, and allows you to block or redirect them.
This app didn't fix our bot problem, since the bots still appeared in our stats after getting blocked, but it might work for your case.
2. To be able to block traffic before it comes to your site, you'll need to block it earlier. We set up a free version of Cloudflare to do this, and it works like a charm. Our numerous chats with Shopify support and others didn't help us at all whatsoever, but installing Cloudflare did. After some tweaking, I was also able to get our average loading times from 3.5 sec to consistently be below 2sec.
3. Install a tagging app, like "Easy tagging", and tag orders matching the name, as spam/scams etc.
4. Ask Shopify support. So they can tell you to either look in the app store, forums, or hire an expert. Since they can't do much/anything it seems. I realized they are mostly there to tell you how to fix stuff yourself, rather than fixing anything for you.
How did you get #2 to work. I think according to https://support.cloudflare.com/hc/en-us/articles/203464660-Using-Cloudflare-with-Shopify you can't proxy cloudflare with shopify. Is that the only way you can block IPs by proxying?
I contacted support about the same thing just now. Did they get back to you about this? Likely happening to a lot of us. I wonder if bots are attacking the checkout page directly or if it's an app causing it? I don't see the activity in Google Analytics or my live screen recording using luckyorange - they seem to bypass IP tracking and everything.
The thing is, you can.
Just make sure not to proxy mail & webmail (got errors from CM Commerce shopping cart abandonment emails when I did this, and links from past newsletters also didn't work)
Actually, I only proxied my Shopify IP and ftp. After all, the traffic gets routed through Cloudflare's DNS, and that's the reason you're able to avoid even allowing bots to enter your server. The proxy I believe is for another purpose.
You can do all this in the free plan too, but I still highly recommend picking one of the cheap plans and setting up Rocketloader and compression. Not only where we able to eventually recover from our 40% drop in revenue after the bots ruined our FB pixel, but we also managed to get loading times from 4-4.5s, down to below 2s on average.
Go for it, just be careful with the proxy
Hey, sorry about the delay here. I'm not very active in the forums
My settings are:
"Full" SSL encryption mode. Always use https ON, Opportunistic Encryption ON, TLS 1.3 ON.
Polish = Lossless, Webp.
I don't auto minify, need to test more before I trust it.
Brotli ON, Enhanced HTTP/2 Prioritization ON, Mirage ON, Rocketloader ON,
And finally, Server-side Excludes ON, under Scrape Shield.
That's pretty much it. Next up is improving the code and apps and such for me. Hope it helps