NoMoreSpam Pro - Magento 2 Spam & Fraud Protection

#Overview

NoMoreSpam Pro is multi-layer Magento 2 spam protection that watches every high-risk touchpoint on your store - contact forms, registration, newsletter sign-up, login, checkout, and payment submission - and scores each request using 50+ configurable risk signals before deciding whether to allow, challenge, or block it.

This module helps you:

• Stop spam bots and card testers without asking real customers to solve a CAPTCHA
• Protect checkout and payment steps against velocity attacks, card probing, and account takeover
• Manage blocklists and allowlists for IPs, emails, and customer groups from one admin area
• Monitor blocked attempts in real time with a stats dashboard and daily email summary
• Automatically block repeat offenders and escalate persistent attackers to subnet-level blocks

#When to use this

Use NoMoreSpam Pro when you want to:

• End waves of spam registrations, contact form abuse, or newsletter bombing
• Prevent card-testing bots from running card numbers through your Payflow, Braintree, or Stripe checkout
• Set stricter controls for guest checkout without blocking genuine shoppers
• Give your ops team daily visibility into blocked fraud attempts without them having to dig through logs
• Allow your office IP or a B2B partner IP to skip spam checks without disabling protection for everyone else

#Key capabilities

• Risk scoring engine - 50+ weighted factors combine into a single score; block when the score meets your threshold
• Payment protection - pre-auth validation and gateway-level rate caps for Payflow, Braintree, Stripe, and PayPal
• Form protection - honeypot fields and timing checks on contact, registration, login, newsletter, and custom forms
• Blocklist & allowlist management - admin grids for IPs, emails, customer groups; CIDR subnet escalation for repeat attackers
• Stats dashboard - chart.js-powered analytics for blocked attempts, top source IPs, attack patterns, and estimated savings
• Decoy responses - randomised gateway-decline messages with timing delays so attackers cannot enumerate your defenses
• Customer restrictions - flag, restrict, or unblock individual customer accounts from the customer edit page
• Daily summary email - automatic 07:00 email with previous-day attack summary sent only when attacks occurred

#Installation

NoMoreSpam Pro installs via Composer, then activates with a license key from your Moogento.com account. The whole flow takes about 5 minutes.

#Step 1: Get your Composer keys from Moogento.com

1. Sign in at https://www.moogento.com and open My Plugins in your account menu.
2. Find NoMoreSpam Pro in the list of plugins you own.
3. Generate (or reveal) the Composer access keys for that plugin - a public key and a private key.
4. Add your install domain to the key. Each Composer key is tied to a specific domain - if you're installing on yourstore.com, add yourstore.com to the key's allowed domains. The Composer download will be rejected on any other domain.

If you run staging and production on different domains, add both - separate keys per environment are fine too.

#Step 2: Install the module with Composer

From your Magento 2 root directory:

composer require moogento/module-nomorespampro

When Composer asks for credentials, paste the public key as the username and the private key as the password. They'll be cached in ~/.composer/auth.json for future runs.

#Step 3: Enable the module in Magento

php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:clean

If you run php bin/magento module:status Moogento_Nomorespampro you should see it listed as enabled.

#Step 4: Add your license key in the Moogento admin

1. Still on https://www.moogento.com > My Plugins, copy the license key for NoMoreSpam Pro (separate from the Composer keys you used above).
2. In your Magento admin, go to Stores > Configuration > Moogento > Licenses.
3. Find the row for NoMoreSpam Pro and paste the license key.
4. Click Save Config, then run php bin/magento cache:clean once.

The license validates within a few seconds. You should see the module's status flip to active. If it stays inactive, double-check the domain on the license matches where you've installed - domain mismatch is the most common cause.

#Setup overview

Most setup happens in:

Stores > Configuration > Moogento > NoMoreSpam Pro

You'll mainly work with:

• General - master on/off, log level, and data retention periods
• Protect: Specific Sections - toggle which forms and pages are protected
• Protect: Custom Forms - add any bespoke form by URL path or CSS selector
• Protect: Allowlists - IPs, emails, and customer groups that bypass checks
• Risk: Scoring - per-context weights for each risk signal
• Risk: Threshold - the score that triggers a block or challenge
• Advanced: Bot & IP Protection - rate caps, CIDR escalation, decoy responses, and Payflow controls
• Advanced: Payment Method Protection - pre-auth validation and payment gateway settings
• Observability: Visibility & Alerts - dashboard widget, admin notifications, and daily summary email

#Common setups

#Turn on protection and choose which forms to guard

The first thing to decide is which parts of your store NoMoreSpam Pro should actively protect. All sections are individually toggled so you can roll out protection incrementally.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > General

2. Set:

   • Enable = Yes
   • Enable: Logging = Yes (recommended on production; generates var/log/moogento_nomorespampro.log)

3. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Protect: Specific Sections

4. Set each toggle to your requirements:

   • Contact form = On
   • Newsletter = On
   • Frontend: User registration = On
   • Frontend: Login = On
   • Checkout = On
   • Payments = On
   • Admin: Login = On (leave Admin: Block login until spam checks load = On in production)

5. Save Config

#Notes

• You can return to this section at any time to add or remove protected areas without disabling the module.
• The Admin: Block login until spam checks load setting prevents fast-autofill bots from submitting the admin login before honeypot fields have loaded. Disable it only for CI pipelines via bin/magento config:set moogento_nomorespampro/protect_sections/admin_login_submit_gate 0.

#Set up the risk threshold to reduce false positives

The global risk threshold controls when NoMoreSpam Pro blocks a request. Lowering it catches more threats; raising it reduces the chance of blocking real customers. The default of 80 is a good starting point for most stores.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Risk: Threshold

2. Set:

   • Global Risk: Threshold = 80 (lower toward 60 for stricter protection; raise toward 95 to reduce false positives)
   • Challenge: Provider = Disabled (leave off unless you are seeing false positives that block real customers)

3. Save Config

#Notes

• NoMoreSpam Pro does not require a CAPTCHA. The Challenge: Provider is an optional safety net for the borderline score band - only scores within [threshold − band width, threshold) trigger it.
• If you enable reCAPTCHA v3 as the challenge provider, set both the site key and private key together. The Protection Level panel on the config page will flag any half-configured state.
• Adjust individual signal weights in Risk: Scoring before changing the global threshold - coarse threshold changes affect all signals equally.

#Allow a trusted IP to skip spam checks

Your office IP, a fulfilment partner, or an automation service may trigger rate caps or IP-reputation signals that would flag real human traffic. Add those IPs to the allowlist rather than raising your global threshold.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Protect: Allowlists

2. Enter one IP per line in Allowlist: IPs.

3. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection

4. Set Allowlist: Bypass Mode to match how much trust you want to extend:

   • Permissive - skips all checks (use for office IPs and test environments)
   • Soft - skips risk scoring but still runs pre-auth (use for partner IPs with some risk)
   • Strict - skips only automatic IP blocking (use for VIP customers)

5. Save Config

#Notes

• Email and customer-group allowlist entries always bypass all checks regardless of the Bypass Mode setting. The mode applies only to IP entries.
• If a B2B server-to-server integration posts to Payflow from a single trusted IP, add that IP here and set Bypass Mode to Permissive. The Payflow rate cap (default: 5 authorisations per 600 seconds) will otherwise block repeated automated requests.

#Set up payment protection for card-testing prevention

Card-testing bots try sequences of card numbers at low amounts to find which cards are live. NoMoreSpam Pro stops them before they reach the payment gateway.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Payment Method Protection

2. Set:

   • Monitor all enabled payment methods = Yes
   • Enable Pre-Auth Validation = Yes
   • Enable PayPal-specific risk scoring = Yes (if you accept PayPal or Payflow)

3. Go to: Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection

4. Verify the Payflow controls are set:

   • Payflow: Enable Rate Caps = Yes
   • Payflow: Max Authorizations per IP = 5 (lower for stricter enforcement)
   • Payflow: Block Zero-Amount Card Probes = Yes

5. Save Config

#Notes

• The Protection Level panel at the top of the configuration page shows a live summary of your payment coverage. A green tick next to "Payment Methods" means all enabled payment methods are monitored.
• Zero-amount card probes are blocked regardless of rate caps. Legitimate $0-total checkouts use the Free payment method, not Payflow - so this rule should not affect real shoppers.
• After saving, run php bin/magento moogento:nomorespampro:check-payflow-protection to confirm all Payflow health checks pass.

#Features reference

#Protection Level panel

• What it does: Displays a real-time health summary at the top of the configuration page showing which protection layers are active, which payment methods are monitored, and whether geo-based signals have a valid IPinfo token.
• When to use it: Check this panel after any configuration change to confirm the intended protections are active.
• Config path: Automatically rendered - no separate setting.

#Analytics: Stats dashboard

• What it does: A Chart.js-powered admin page showing blocked attempts over time, top attacking IPs, block reasons, a geographic attack heatmap, and an estimated cost savings counter.
• When to use it: During or after an attack to understand the pattern; for weekly reporting on protection activity.
• Config path: moogento_nomorespampro/analytics_dashboard/cost_per_spam controls the estimated savings calculation. Access the dashboard at Moogento > NoMoreSpam Pro > Stats.

#Blocklist grid

• What it does: Admin grid listing all blocked IPs, their block expiry, block reason, and whether they are permanently blocked. Supports manual add, remove, and mass-unblock.
• When to use it: To manually unblock a legitimate customer who was caught by rate caps, or to add a known-bad IP range before it starts attacking.
• Config path: Moogento > NoMoreSpam Pro > Blocklist.

#Payments log

• What it does: Admin grid showing every recorded payment attempt with its risk score, block status, payment method, and contributing factors. Rows with STATUS_BLOCKED are attempts NoMoreSpam Pro declined before they reached the gateway.
• When to use it: To investigate a customer reporting a declined payment; to verify that blocked card-testing attempts are being caught correctly.
• Config path: Moogento > NoMoreSpam Pro > Payments. Log retention: moogento_nomorespampro/general/payment_data_retention (days).

#Custom form protection

• What it does: Extends honeypot and timing protection to any custom form - third-party checkout steps, quote request forms, B2B registration, and so on.
• When to use it: Any time spam reaches a form not listed under Protect: Specific Sections.
• Config path: Stores > Configuration > Moogento > NoMoreSpam Pro > Protect: Custom Forms. Add the Magento URL path (e.g. customer/account/createpost) or a CSS selector (e.g. form[action*="createpost"]), one per line.

#Email validation - custom domains

• What it does: Adds store-specific domains to the built-in list of 50+ known disposable email services. Signups from those domains are scored as suspicious.
• When to use it: When you identify a new disposable or spammer domain that the built-in list does not cover.
• Config path: Stores > Configuration > Moogento > NoMoreSpam Pro > Email Validation: Custom Domains.

#CIDR subnet escalation

• What it does: When a configurable number of distinct IPs from the same subnet are blocked within a window, NoMoreSpam Pro automatically blocks the entire subnet. The daily cleanup cron removes expired subnet blocks.
• When to use it: During a coordinated attack sourced from a single hosting provider or VPN pool.
• Config path: Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection > CIDR Escalation: Enable. Threshold and subnet mask are configured in the same group.

#Observability and alerts

• What it does: Three complementary visibility tools - a carding-stats widget on the Magento admin dashboard (24h / 7d / 30d), admin notification bar alerts for high-severity events (score ≥ 90, permanent block, subnet escalation), and a daily 07:00 email summarising the previous day's attack activity.
• When to use it: Leave all three on in production. Disable the daily email only if another monitoring system already aggregates this data.
• Config path: Stores > Configuration > Moogento > NoMoreSpam Pro > Observability: Visibility & Alerts.

#Advanced configuration

#Decoy responses

#What it does

When a checkout attempt is blocked, NoMoreSpam Pro returns a randomised gateway-decline message with a randomised delay instead of an immediate "blocked" response. Attackers cannot distinguish a NoMoreSpam Pro block from a real processor decline, which prevents them from enumerating your defenses or confirming that a card was flagged.

#Setup

1. Go to Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection
2. Set Anti-Oracle: Enable Decoy Responses = Yes
3. Set Anti-Oracle: Max Response Delay (ms) to a value between 200 and 5000 (default: 1500)

#Notes

• Disable decoy responses only while debugging a specific blocking behavior - the delay makes log correlation harder.
• The minimum delay floor is 200 ms regardless of the configured maximum.

#Advanced thresholds and cache

#What it does

Fine-tune the numeric windows and counts behind individual risk signals: rapid checkout attempt counter, multiple payment attempts, IP transaction caps, multiple card numbers, account velocity, and client identity IP diversity.

#Setup

Go to Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Thresholds & Cache and adjust the fields relevant to the signals you have enabled in Risk: Scoring.

#Notes

• Lowering the Multiple Card Numbers: Threshold below 3 catches carding bots faster but may flag a shopper correcting two card-number typos in the same session. Pair with a short window (e.g. 600 seconds) to minimise false positives.
• The GeoIP Cache Duration (hours) field controls how long IPinfo responses are cached. The default of 24 hours is appropriate for production; lower it only during testing.

#IPinfo token for geo-based scoring

#What it does

IP geolocation signals - country mismatch, unknown location, VPN/proxy/Tor/datacenter detection - require an IPinfo token. Without a token, those risk factors are silently skipped and the Protection Level panel shows an IPinfo Token warning.

#Setup

1. Create a free account at https://ipinfo.io and generate an API token.
2. Go to Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection.
3. Paste the token into the IPinfo Token field.
4. Save Config.

#Notes

• The free IPinfo tier provides country, city, and ASN (org) data - enough for country-mismatch scoring and ASN-based datacenter detection.
• For VPN/proxy/Tor/relay detection, upgrade to a paid IPinfo plan and set Datacenter IP Detection Mode to IPinfo Privacy Detection under Risk Flags: Detection Settings.

#Tips & best practices

• Start with the Protection Level panel. Before going live, open Stores > Configuration > Moogento > NoMoreSpam Pro and verify every row in the Protection Level panel shows a green tick for the signals you intend to use.
• Use the Stats dashboard after your first week to identify which attack types are most common - then tune the corresponding risk factor weights up in Risk: Scoring.
• Set the global risk threshold before tuning individual weights. Establish a baseline threshold (80 is safe for most stores) and then adjust weights to shift specific signals, rather than dropping the threshold globally.
• Add your staging environment IP to the allowlist in Permissive mode so automated tests never accumulate transaction counts or trigger CIDR escalation against your own test IP.
• Keep the daily summary email on. It delivers a one-sentence attack summary only on days attacks occurred - it is quiet on peaceful days and noisy exactly when you need to know.
• Run the preflight check after any significant configuration change: php bin/magento moogento:nomorespampro:status --format=json. The overall.status and disabled_p0_protections fields confirm the configuration is consistent before traffic hits the new settings.
• For stores using Payflow, run php bin/magento moogento:nomorespampro:check-payflow-protection to verify all three Payflow hook points are covered.

#Troubleshooting

#Legitimate customers are being blocked at checkout

• Cause: Risk threshold may be too low, or a high-weight signal (disposable email, IP reputation, rapid checkout) is firing on real shoppers.
• Check: Open Moogento > NoMoreSpam Pro > Payments and locate the blocked attempt. The risk_details column shows which signals contributed and their scores.
• Resolution: If a specific signal is causing false positives, lower its weight in Risk: Scoring rather than raising the global threshold. Add the customer's email or IP to the allowlist if they need immediate unblocking.

#Contact form spam is still getting through

• Cause: The contact form protection toggle may be off, or a custom theme renders the form outside the CSS selectors NoMoreSpam Pro watches.
• Check: Go to Protect: Specific Sections and confirm Contact form is enabled. In the rendered HTML, verify the hidden honeypot fields appear inside the <form> element.
• Resolution: If the form uses a non-standard selector, add it under Protect: Custom Forms > Form: CSS selectors.

#The Payments log shows STATUS_BLOCKED rows I did not expect

• Cause: Payflow rate caps, the retry guard, or the zero-amount card probe block may be catching an automated process (e.g. a server-to-server integration).
• Check: Inspect the source_context column in the blocked row - gateway indicates a Payflow gateway block; secure_token indicates a transparent token controller block. Look at the IP address to determine whether it is your integration.
• Resolution: Add the integration IP to the allowlist with Bypass Mode = Permissive, or raise the Payflow: Max Authorizations per IP limit for that scope.

#Newsletter protection blocks signups from a known good campaign

• Cause: A campaign sending many signups from the same IP or email domain may trip the IP rate cap or the disposable-email check.
• Check: Review var/log/moogento_nomorespampro.log for "Risk Score" lines coinciding with the campaign window. Check whether the source IP is a bulk-send service.
• Resolution: Add the campaign's sending IP or the known-good email domain (under Protect: Allowlists or Email Validation: Custom Domains) before the campaign goes live.

#Protection Level panel shows an IPinfo Token warning

• Cause: One or more geo-based risk factors (country mismatch, unknown location) are enabled in Risk: Scoring, but no IPinfo token is configured.
• Resolution: Add an IPinfo API token at Stores > Configuration > Moogento > NoMoreSpam Pro > Advanced: Bot & IP Protection > IPinfo Token, or disable the geo factors in Risk: Scoring if you do not need them.

#FAQs

#How does Magento 2 spam protection stop card-testing bots at checkout?

Enable NoMoreSpam Pro's payment protection and set Monitor all enabled payment methods = Yes under Advanced: Payment Method Protection - the module will apply rate caps, pre-auth validation, and zero-amount card-probe blocking before any request reaches your payment gateway. See Set up payment protection for card-testing prevention for the full steps.

#Will NoMoreSpam Pro block my real customers if they try to pay more than once?

No - the rate caps are set conservatively by default (5 payment authorisations per IP per 10 minutes) and are separate from the risk-scoring threshold that drives most blocks. If a genuine customer is caught, unblock their IP in the Blocklist grid and add them to the allowlist to prevent recurrence.

#Does NoMoreSpam Pro work with Braintree, Stripe, PayFlow, and PayPal?

Yes - NoMoreSpam Pro has dedicated integration points for Braintree, Stripe, Payflow Pro, Payflow Link, Payflow Transparent, and PayPal. Each integration enriches the risk score with gateway-level signals (AVS/CVV patterns, risk flags) available from that processor.

#How do I allow my office IP to skip spam checks during testing?

Add your office IP to Protect: Allowlists > Allowlist: IPs (one per line) and set Advanced: Bot & IP Protection > Allowlist: Bypass Mode = Permissive. In Permissive mode the listed IP skips pre-auth checks, risk scoring, and automatic IP blocking entirely.

#Is NoMoreSpam Pro compatible with Hyvä, Luma, and Porto themes?

Yes - NoMoreSpam Pro protects forms via server-side checks and standard theme hooks, so it works out of the box with Luma, Porto, and Hyvä. If your theme renders a form outside the default selectors, add the custom CSS selector under Protect: Custom Forms so the honeypot fields are injected correctly.

#What happens when I disable NoMoreSpam Pro?

When you set General > Enable = No, all form protection, risk scoring, payment validation, and rate caps are disabled immediately. The Blocklist, Payments log, and Stats data are preserved - you can re-enable at any time without losing your history or configuration.

#How do I see which attacks have been blocked in the last 24 hours?

Open Moogento > NoMoreSpam Pro > Stats for the chart.js dashboard, or open Moogento > NoMoreSpam Pro > Payments to filter by today's date. The daily summary email (if enabled) also delivers a plain-text attack summary at 07:00 each morning.

#Why is NoMoreSpam Pro blocking legitimate newsletter sign-ups?

The most common cause is a bulk-mailing campaign sending sign-ups from a shared IP that hits the per-IP transaction cap. Check var/log/moogento_nomorespampro.log around the time of the sign-ups and look for "Risk Score" lines. If the source IP belongs to a trusted campaign service, add it to the allowlist before the next campaign.

#Does NoMoreSpam Pro require Google reCAPTCHA?

No - NoMoreSpam Pro uses honeypots, timing signals, risk scoring, and rate limits to block bots without showing visitors a CAPTCHA. The optional Challenge: Provider setting adds reCAPTCHA v3 as a fallback for borderline scores only, and it is disabled by default.

#How much does NoMoreSpam Pro cost?

Pricing and plan tiers are listed at https://www.moogento.com. After purchase, install the module via Composer and activate it with the license key from My Plugins - see the Installation section for the full flow.

#Related guides

• Pulse

#Need help?

• moo@moogento.com
• Include:
  • Magento version
  • Module name
  • What you're trying to do