Blocking Spam Orders

An unfortunate trait of the internet is spam and automated bots disseminating that spam. Most of us are used to receiving spam emails, but as a business operator on the internet, you may also receive support requests and orders submitted in bulk by automated bots.

This guide looks at some of the ways you can help mitigate the impacts.

Block them from your website

The most effective mitigation method is to use a smart and responsive Web Application Firewall service, which can quickly identify undesirable traffic and block it from your website entirely.

If the bots never reach your website, they can't place orders, so the problem is solved! This should not have any impact on your genuine customers.

Some potential services (in no particular order and with no implied endorsement are)

Add Invisible reCAPTCHA to Checkout

We have developed an action hook which adds an additional transparent  human verification check to WHMCS. It applies specifically to the checkout page of the order form:

Download here

Powered by Google Invisible reCAPTCHA technology, this will help block orders from automated bots whilst allowing the majority of customers to place orders without any interruption. If there is any confusion, users may be required to complete an image identification pattern before their order is entered into WHMCS.

To install the hook, follow the steps below.

  1. Download the hook (attached at the bottom of this post)
  2. Upload to the /includes/hooks/ directory of your WHMCS installation
  3. The hook leverages the same Google reCAPTCHA configuration as  defined in Setup > General Settings > Security. Therefore, please  ensure the Captcha settings are configured there as follows:
  • Captcha Form Protection: "Always On" or "Off when logged in"
  • Captcha Type: reCAPTCHA (Google's reCAPTCHA system)
  • reCAPTCHA Site Key & Secret Key: Provided
Upload to /includes/hooks

NOTE: When registering your site on the reCAPTCHA site, be sure to select the Invisible type option:

Select Invisible reCaptcha

Block Problematic Domains

If you are receiving multiple orders from different email addresses on the same domain, that domain can be blocked form placing any more orders:

  1. Navigate to Setup > Other > Banned Emails
  2. Enter the domain you wish to block
  3. Click Add Banned Email
Email Domain to be Blocked

Orders from the blocked domain will no longer be permitted.

Remove Unnecessary Forms

Any point a spam bot can complete an automated form is a potential vector for them to make some more automated submissions.

You might not require some of the forms in WHMCS, which could be switched off without any loss to you.

  1. UNtick Setup > General  Settings > Other tab > Allow Client Registration
  2. Use a support department for sales, rather than email. Select a department from the Setup > Genreal Settings > Mail tab > Presales Form Destination dropdown.
  3. Review your Setup > Support > Support Departments to make sure they are marked Clients Only, except the ones which truly need to be client-facing (such as Sales)
Support Department Configuration

Thwart them with human verification

Whilst no human verification captcha is 100% bullet proof, Google reCaptcha v2 is effective. This can be enabled in WHMCS on the Setup > General Settings > Other tab.

Once configured; this will help protect the client registration page, the ticket submission pages and contact form, as well as the homepage domain checker. Configuration settings are located under Setup > General Settings > Security tab.

 

You could even go one step further and add a manual question on the order form which a real human can easily understand and answer, using a custom client field. This can be configured under Setup > Custom Client Fields

Field Name: Are You Human?

Field Type: Text Box

Description: To help prevent automated submissions, please answer "YES" if you are a real human

Validation: /[Y]+[E]+[S]/

Required Field = Yes

Show on Order Form = Yes

Automatically detect fraudulent orders

If an order does get through, the Maxmind module within WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.

Setup is quick and easy via Setup > Fraud Protection.

You will need an account, and you can sign up for one here.

Share knowledge with your peers

Sharing experience and knowledge about what combination of techniques effectively combated a problem, is an excellent tool to defeat those trying to cause trouble on the internet.

Join this discussion in the WHMCS Community.