[:de]Magento Commerce: Kunden-Emailadressen beim Checkout einschränken / Adminzugang limitieren[:en]Magento Commerce: Restrict customer email addresses at checkout / Limit admin access[:]

Last Updated on 2017-06-08.

[:en]Fake orders by guest customers (or robots) in Magento shops can become quite annoying, some bots are even able to solve or skip the shop’s captcha codes.

Decline disposable email domains

To add another obstacle for bots and to make the checkout process not more complex than needed, I added some additional code in Magento’s root directory.

It declines the customer’s email address if it comes from a disposable email (trash mail) provider. So for the checkout to complete, the customer is forced to enter a valid (non-trash) email address.

This list on Github seems to be pretty much complete and can be queried directly e.g. here.

<?php

//2017-06 DXSdata.com

if (isset($_POST['billing']))
{
       //https://github.com/ivolo/disposable-email-domains
        //look if listed as disposable email domain
        if (@$tmp['email'])
        {
                $result = @file_get_contents("https://open.kickbox.io/v1/disposable/".$tmp['email']);

                if ($result)
                {
                        $result = json_decode($result);
                        if ($result)
                        {
                                if ($result -> disposable)
                                {
                                        $_POST['billing']['email'] = '';
                                        mail("[email protected]", "disposable email detected: ".$tmp['email'], "", "From: [email protected]");
                                        exit;
                                }
                        }
                        else mail("[email protected]", "could not check disposable email domain","","From: [email protected]");
                }
                else mail("[email protected]", "could not check disposable email domain","","From: [email protected]");
        }


}

Then include it in your Magento’s index.php:

<?php
#only add the following line:

include('checks.inc.php');

#original:
/**
 * Magento
 *
...

Note: After every update, security patch etc., check your index.php file if the include command is still there. Re-add it, if necessary.

Restrict admin access to certain IP ranges

In addition, it definitely makes sense to make the virtual /admin subdirectory more secure. It does not really exist in Magento’s file structure, so you cannot use .htaccess files like it can be done for the /downloader directory. But you can extend the new checks.inc.php file you created before:

<php
#addition

function isAllowedAsAdmin()
{
    $whitelist = array(
        '10.1.*',
        '192.168.1.*',
        '77.1.2.34',
        '234.45.567.80'
    );

    if(in_array($_SERVER['REMOTE_ADDR'], $whitelist))
        return true;
    else{
        foreach($whitelist as $i){
            $wildcardPos = strpos($i, "*");

            if($wildcardPos !== false && substr($_SERVER['REMOTE_ADDR'], 0, $wildcardPos) . "*" == $i)
                return true;
        }
    }

    return false;
}

if (strpos($_SERVER['REQUEST_URI'], "/admin") !== false)
{
    if (!isAllowedAsAdmin())
    {
        echo $_SERVER['REMOTE_ADDR'] . " not allowed.";
        exit;
    }
}

 [:]