Shopware 6: Plugin status
- Bulk removal of existing spam accounts
- Avoid false positive deletions thanks to the convenient overview in the backend
- Define your own filter criteria
- Prevent DoS attacks and email deliverability restrictions
- Whitelisting to avoid false positive hits in the registration process
- Configuration with blacklists and whitelists
- Filters first and last names as well as email addresses
- List of existing spam accounts in the backend
- Honeypot feature for blocking spam mailers
- Prevents spam registrations in both the shop and via REST API
Shopkeepers and online businesses of all sizes are exposed to attacks from third parties more and more - be it through hackers trying to gain access to the systems, spam senders who want to send masses of (advertising or other) emails or even unfair competitors. Shopware already offers important functions that make their efforts more dificult, e.g. captchas or honeypot precautions that you can easily activate in the Shopware settings. However, there are further weaknesses that cannot be addressed completely within the default configuration, and, as a result, for which further steps are necessary.
Enormous numbers of registrations for customer accounts with nonsense personal data entered can be observed in both larger and smaller shops. The email addresses that are used for this are often real mailboxes, but do not belong to the attackers but to uninvolved third parties. The goal of the attackers in these cases is to not just generate database garbage and higher loads on the server. They use the registration and "forgot password" functions to generate mass e-mails which are sent from your shop. As soon as the third party recipients of these emails mark them as spam messages, large email providers can block emails from you as well as your shop server could be entered on global spam block lists. This leads to legitimate emails from your shop no longer getting through to you and your customers. You and the customers will then no longer receive any information about new orders as well as order confirmations or newsletters.
Once such a problem has been identified, unfortunately it's not enough to prevent future registrations. Because of the spam accounts that have already been created, unwanted emails can still be generated in large quantities using the 'forgot password' function in your shop. This is why we recommend not only to exclude future registrations from spam bots, but to also identify the existing spam accounts in your database and get rid of them.
Our plugin covers both of these functionalities. You can exclude spam registrations as far as possible by using the filter rules you have defined for the first and last name as well as the email address. With a convenient overview window in the Shopware backend, you can identify existing spam customer accounts and delete them easily with only two clicks by batch processing. Using a whitelist, i.e. a list of permitted terms and patterns, you can prevent "false positives" from being hit, that is, legitimate customers being prevented from registering. Since the plugin not only extends the registration form, but also the internal customer account validation of Shopware, you will be able prevent spam registrations even if customer accounts are imported from third-party systems via the Shopware REST API.
The filters for blacklists and whitelists are configured in the form of regular expressions. After installation, you will automatically find a small sample configuration which you may expand to meet your requirements. If you would like, we would be happy to provide you with further information on what the supplied blacklist configuration is for and which entries in the whitelist prevent, for example, improperly entered company names and certain names from the Scottish, Arabic, Italian and Spanish areas from being rejected. Simply contact us by opening a support ticket in your Shopware account or by writing an email to email@example.com. Please understand that we do not offer a comprehensive set-up service beyond the usual support regarding bugs, technical errors and questions.
Install the plugin via the Plugin Manager in your Shopware backend. A working sample configuration is already supplied and automatically stored during installation. If necessary, adapt this configuration to your needs so that the spam patterns you have identified in recent attacks will be covered by your blacklist entries as well as the whitelist is filled with the usual false-positive patterns regarding valid registrations.
If you have any questions about the example configuration or if you need an example whitelist configuration, please do not hesitate to contact us.
Filter rules for blacklists and whitelists are stored in the form of regular expressions (one per line). For more information about regular expressions, what they are and how they are built together, please see the following page for example: https://regexone.com/ - To determine whether your regular expression has the desired effect, please test them using e.g. the following page: https://www.regextester.com/
After installing our plugin, existing spam customer accounts are listed in the backend (choose the menu entry Customers> Customers> Spam accounts). Like the blocking in the frontend, this list is based exclusively on the filter rules you have configured or on the supplied sample configuration. In the listing of spam accounts, as usual in the Shopware backend, please select the spam accounts you want to remove from your database. By using batch processing, you can delete them all from your shop with just two clicks.
Protection against new registrations by spam bots will be automatically activated in the frontend right from when you install the plugin. Plugin configuration allows you to choose what should happen in such a case: All information (first name, surname and email address) will be deleted from the form and highlighted in red - or only those field entries that had the filter activated. To protect against spammers who use real third-party email addresses, you can activate the third option, the honeypot mode, which then will display, that the email address is not accepted, even if it is valid and only the first and last names triggered the spam filter. This will make it more difficult for the attackers to figure out the reason for their rejection - and for them to have a negative impact of your email deliverability and reputation.