Jump to content
jakebur01

Amazon IP Accessing page mystery

Recommended Posts

I have a registration page that mails a link to the users email.

The link in the email takes the user to the activation page which sends out a welcome email and updates the database as activated if the user is not already activated.

For some reason, this page is being accessed by an Amazon ip address with multiple browsers in the user_agent.  Whatever this is is automatically activating my users and sending them a welcome email without them even accessing the page.

The only suspect I can think of is I have a javascript snippit for google ads and also facebook on some of my pages.  I don't know if they could somehow be accessing the page or not.

It must be following the activation link in the mail() script I have on the registration page.

I'm mailing myself the following when the activation page is accessed.  I get an amazon ip, multiple browsers, and no referer.

$browser = $_SERVER['HTTP_USER_AGENT'];
$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];

 

Share this post


Link to post
Share on other sites
2 hours ago, jakebur01 said:

For some reason, this page is being accessed by an Amazon ip address with multiple browsers in the user_agent.

Bots.

Use a CAPTCHA.

Share this post


Link to post
Share on other sites

does the activation link contain a run-once unique token? this would let you know if something is just submitting email addresses or actually has access to the content in the emails.

Share this post


Link to post
Share on other sites

The link just contains their id url encoded and the activation page checks to see if it’s already activated.  This IP address is accessing the page the moment the user is registered and the email is sent out to them from the registration page.

Another user signed up and a different ip address accessed the activation page the moment their check your email for verification email with the link was sent to them.  I looked that address up and it was also from amazon data.

Edited by jakebur01

Share this post


Link to post
Share on other sites
3 hours ago, requinix said:

Bots.

Use a CAPTCHA.

The bot would have to be accessing the page at the moment the user is clicking the submit button on the register page.  How does the bot know the page exists?

Share this post


Link to post
Share on other sites
3 hours ago, mac_gyver said:

does the activation link contain a run-once unique token? this would let you know if something is just submitting email addresses or actually has access to the content in the emails.

Yes. It is the full link with the variables in the url that is being run.

Share this post


Link to post
Share on other sites
3 minutes ago, jakebur01 said:

The bot would have to be accessing the page at the moment the user is clicking the submit button on the register page.  How does the bot know the page exists?

The bot is the user. Their creators realized you're constructing predictable confirmation URLs so their bots don't have to wait for anything: submit form data, hit confirmation page, have working account.

CAPTCHA, and don't use predictable confirmation URLs. You should be using some sort of random token instead.

Share this post


Link to post
Share on other sites
32 minutes ago, requinix said:

The bot is the user. Their creators realized you're constructing predictable confirmation URLs so their bots don't have to wait for anything: submit form data, hit confirmation page, have working account.

CAPTCHA, and don't use predictable confirmation URLs. You should be using some sort of random token instead.

There are two pages.  auth_registration and auth_activate.  I myself submit the form on auth_registration using one of my emails and immediately the auth_activate page is accessed.

I'm suspect of these facebook and google ad trackers that track registration and purchase:

<script async src="https://www.googletagmanager.com/gtag/js?id=AW-36573573"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-3763567');
</script>


<!-- Facebook Pixel Code -->
<script>
  !function(f,b,e,v,n,t,s)
  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?
  n.callMethod.apply(n,arguments):n.queue.push(arguments)};
  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
  n.queue=[];t=b.createElement(e);t.async=!0;
  t.src=v;s=b.getElementsByTagName(e)[0];
  s.parentNode.insertBefore(t,s)}(window, document,'script',
  'https://connect.facebook.net/en_US/fbevents.js');
  fbq('init', '36573737376');
  fbq('track', 'PageView');
</script>
<noscript><img height="1" width="1" style="display:none"
  src="https://www.facebook.com/tr?id=65474567&ev=PageView&noscript=1"
/></noscript>
<!-- End Facebook Pixel Code -->

 

Share this post


Link to post
Share on other sites
20 minutes ago, jakebur01 said:

I'm suspect of these facebook and google ad trackers that track registration and purchase:

Then get rid of them and see if anything changes.

Have you seen this with any registration or just ones you're trying to do as a test?  Have you tried different email clients?  Maybe you have something running that's scanning your incoming email and following links.

 

Share this post


Link to post
Share on other sites

Yea. I guess I could add a button to the landing page. Click here to activate.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.