Magento2: How to avoid fake registration?

Custom Captcha (with some complex algorithm) is best option for you as you don't want to integrate OTP functionality in registration page.

There is also one option if you know the email domains which are registered as a fake customer as per your screenshot is mail.ru, for this you need to add some custom code in your customer create controller class, for reference please check below sample code :

if($postrequest['email']) {
    $rejectList =  array('mailinator','mail.ru','yopmail'); //you can mention as many email domains as per your need
    $str = explode('@',$postrequest['email'],2);
    $domain = explode('.',$str[1],2);
    if(in_array($domain[0],$rejectList)) {
        $this->messageManager->addException($e, __('Enter valid domain name in Email.'));
        return $resultRedirect->setUrl($this->_redirect->error($defaultUrl));
    }
}

Please let me know this solution is working for you or not?


I think there is some leakage in your Magento instance.

So, you have identified from which URL this fake registration and then apply your fixation.

let's create plugins on below classes and add the debugger to every plugin and check $_REQUEST value for tracking from URLs this issue happen.

  • Magento\Customer\Model\AccountManagement
  • Magento\Customer\Model\ResourceModel\CustomerRepository

Create di.xml at app/code/{Vendor}/{Modulename}/etc/ and declare plugin on this files:

Code

<?xml version="1.0" ?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <type name="Magento\Customer\Model\AccountManagement">
        <plugin disabled="false" name="StackExchanges_Magento_Plugin_Magento_Customer_Model_AccountManagement" 
                        sortOrder="10" type="{Vendor}\{Modulename}\Plugin\Magento\Customer\Model\AccountManagement"/>
    </type>
    <type name="Magento\Customer\Model\ResourceModel\CustomerRepository">
        <plugin disabled="false" name="StackExchanges_Magento_Plugin_Magento_Customer_Model_ResourceModel_CustomerRepository"
                        sortOrder="10" type="{Vendor}\{Modulename}\Plugin\Magento\Customer\Model\ResourceModel\CustomerRepository"/>
    </type>
</config>

Plugin Class:

First plugin class

app/code/{Vendor}/{Modulename}/Plugin/Magento/Customer/Model/ResourceModel/CustomerRepository.php

Code

<?php


namespace {Vendor}\{Modulename}\Plugin\Magento\Customer\Model\ResourceModel;

/**
 * Class CustomerRepository
 *
 */
class CustomerRepository
{

    private $logger;
    public function __construct(
       \Psr\Log\LoggerInterface $logger
    ) {
        $this->logger = $logger;
    }

    public function beforeSave(
        \Magento\Customer\Model\ResourceModel\CustomerRepository $subject,
        $customer,
        $passwordHash = null
    ) {
        $this->logger->log(100,print_r($_REQUEST,true));
        return [$customer, $passwordHash];
    }
}

Second plugin class

Path: app/code/{Vendor}/{Modulename}/Plugin/Magento/Customer/Model/AccountManagement.phpp

Code

<?php


namespace {Vendor}\{Modulename}\Plugin\Magento\Customer\Model;

/**
 * Class AccountManagement
 *
 * @package StackExchanges\Magento\Plugin\Magento\Customer\Model
 */
class AccountManagement
{
    private $logger;
    public function __construct(
       \Psr\Log\LoggerInterface $logger
    ) {
        $this->logger = $logger;
    }
    public function beforeCreateAccount(
        \Magento\Customer\Model\AccountManagement $subject,
        $redirectUrl = '',
        $password = null,
        $customer
    ) {
        $this->logger->log(100,print_r($_REQUEST,true));
        return [$redirectUrl, $password, $customer];
    }
}


See at every plugin I have added logger $this->logger->log(100,print_r($_REQUEST,true)) to track check what is post when trying to create customer or save customer.

and the logs will print on var/log/debug.log files.

From these log files, you can find from which URLs(like customer/account/create) the data is posting and the customer is creating and you can analyze the data.

If you will find that url from where the wrong customer register, then you reverify why google captcha is not working or if not working you can fix that also. Implement the fixation accordingly.

Apply some solution to stop the fake user to register

Suppose, if the email like mail.ru, you want to stop register, then add below code before $this->logger->log(100,print_r($_REQUEST,true)); at this two plugin.

        if (strpos($email, 'mail.ru') !== false) {
            throw new \Magento\Framework\Exception\InputException(__('Invalid Customer register.'));
        }

Example

<?php


namespace StackExchanges\Magento\Plugin\Magento\Customer\Model;

/**
 * Class AccountManagement
 *
 * @package StackExchanges\Magento\Plugin\Magento\Customer\Model
 */
class AccountManagement
{
    private $logger;
    public function __construct(
       \Psr\Log\LoggerInterface $logger
    ) {
        $this->logger = $logger;
    }
    public function beforeCreateAccount(
        \Magento\Customer\Model\AccountManagement $subject,
        $redirectUrl = '',
        $password = null,
        $customer
    ) {

        $email = $customer->getEmail();
        // match and throw error for stop registraion
        if (strpos($email, 'mail.ru') !== false) {
            throw new \Magento\Framework\Exception\InputException(__('Invalid Customer register.'));
        }
        $this->logger->log(100,print_r($_REQUEST,true));
        return [$redirectUrl, $password, $customer];
    }
}