Hundreds of fake user registrations each day (General)

by Brent, Tuesday, December 12, 2017, 07:44 (2299 days ago)

Each day I get over 200 spam user registrations. I've tried both the graphical and mathematical CAPTCHA, but to no avail. As a result, my domain is now blacklisted everywhere resulting that my email end up in junk folders or aren't delivered at all because the system sends out hundreds of spam activation emails every day.

Is there anything I can do to prevent all these fake user registrations?

Avatar

Hundreds of fake user registrations each day

by Micha ⌂, Tuesday, December 12, 2017, 08:06 (2299 days ago) @ Brent

Hi,

which software version?

the system sends out hundreds of spam activation emails every day.

To non existing e-mail accounts?

Is there anything I can do to prevent all these fake user registrations?

Of course, e.g. enable activation by moderators/administrators.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Hundreds of fake user registrations each day

by Brent, Tuesday, December 12, 2017, 08:18 (2299 days ago) @ Micha

Version 2.3.4

The addresses does not seem to be fake. They use real addresses harvested from real users. In Gmail, this message is labelled as "Lots of messages from myname@mydomain.com are spam".

I have activation by admins mods turned on, but when you register the system automatically sends an activation email anyway. This is also confusing. They should get a message saying that the account needs to be approved by an admin.

Hundreds of fake user registrations each day

by Brent, Tuesday, December 12, 2017, 08:22 (2299 days ago) @ Brent

Only after the activation link clicked by the user the admins get a message saying there is a new user. The user gets a message saying something like: "Your account is activated but needs to be unlocked by a mod or admin before you can log in"

Avatar

Hundreds of fake user registrations each day

by Micha ⌂, Tuesday, December 12, 2017, 08:27 (2299 days ago) @ Brent

Hi,

Version 2.3.4

Your version is outdated. The current version is 2.4.6. You should update your software, now!

This is also confusing. They should get a message saying that the account needs to be approved by an admin.

This will happen, if the user clicks the activation link. It is a two step activation process.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

strongly recommended update, amendment

by Auge ⌂, Tuesday, December 12, 2017, 08:55 (2299 days ago) @ Micha
edited by Micha, Tuesday, December 12, 2017, 09:24

Hello

Version 2.3.4


Your version is outdated. The current version is 2.4.6. You should update your software, now!

Wow, commanding tone in the morning. Yesssir! ;-)

@Brent: Please update the script and remind the necessary and mandatory interim step of the update to version 2.3.5.

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

strongly recommended update, amendment

by Micha ⌂, Tuesday, December 12, 2017, 09:00 (2299 days ago) @ Auge

Hi,

Wow, commanding tone in the morning. Yesssir! ;-)

Oh, I'm sorry, if it sounds to strong/hard.

@Brent: Please update the script and remind the necessary and mandatory interim step of the update to version 2.3.5.

Full ACK.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Update didn't change anything

by Brent, Wednesday, December 13, 2017, 14:21 (2298 days ago) @ Micha

As expected, updating to 2.4.6 didn't solve anything. Bad behaviour, Stop Forum Spam and all other possible measures are of course enabled. Close to 300 fake users have been sending out spam from my address the last 24 hours (after the update). Registering users manually is not an option.

Avatar

Update didn't change anything

by Auge ⌂, Wednesday, December 13, 2017, 15:20 (2298 days ago) @ Brent

Hello

As expected, updating to 2.4.6 didn't solve anything.

With version 2.3.7 we solved a security issue with that an attacker was able to access forum functions from JS in different tabs in a users browser. So it was not impossible to solve or at least embank this problem.

Bad behaviour, Stop Forum Spam and all other possible measures are of course enabled. Close to 300 fake users have been sending out spam from my address the last 24 hours (after the update).

Can you please provide examples of the spam mails or the returning error messages from the receiving e-mail-servers in source code (i.e. in Thunderbird open the source of a message with [ CTRL ]+[ u ])?

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

Avatar

Update didn't change anything

by Micha ⌂, Wednesday, December 13, 2017, 15:53 (2298 days ago) @ Brent

Hi,

300 fake users have been sending out spam from my address

I don't understand, HOW these fake users can get access to your account. Why we don't have the same problem on this platform?

Anyway, I add a ticket and Auge is planning(?) to implement a further filter.

/Micha

--
applied-geodesy.org - OpenSource Least-Squares Adjustment Software for Geodetic Sciences

Avatar

Hundreds of fake user registrations each day

by Auge ⌂, Tuesday, December 12, 2017, 08:49 (2299 days ago) @ Brent

Hello

Each day I get over 200 spam user registrations.

That's annoying, I know.

I've tried both the graphical and mathematical CAPTCHA, but to no avail. As a result, my domain is now blacklisted everywhere resulting that my email end up in junk folders or aren't delivered at all because the system sends out hundreds of spam activation emails every day.

The captchas are answerable nowadays. Old, dumb robots will fail but up-to-date technics can solve the quests. So the captchas does not protect you effectively.

Is there anything I can do to prevent all these fake user registrations?

You can activate "Stop Forum Spam" (SFS). When a new registration happens, SFS will be asked if the e-mail address is known as a spammers address. This will protect you at least against known spam accounts.

You can set the setting "User registration" to the value "self but new accounts have to be unlocked by an admin or a moderator". Then the users registering them self but you have to unlock them. You'll have the control over which account should be activated but the forum will nevertheless send the e-mail to the user (to confirm the registration) and after the confirmation to the admin/mods (to inform them about the registration). So it's effectively no protection against the possible blacklisting.

- You can set the setting "User registration" to the value "only by admin". Then you are the one that registers every user. As registering admin you can decide for every account if you send a conformation message to the user or not. Not very convenient but at the moment the only method to be safe (in combination with SFS).

Tschö, Auge

--
Trenne niemals Müll, denn er hat nur eine Silbe!

RSS Feed of thread