Large uptick in spam account registrations recently (General)

by John yuip, Saturday, January 12, 2019, 05:57 (305 days ago) @ WorldofBB
edited by John yuip, Saturday, January 12, 2019, 06:29

I've had a big problem with automatic submissions on Wordpress I manage but I wasn't the owner... the owner did not authorize the use of captchas of any sort, form or shape. For years the only thing was the Akismet Anti-Spam that sort it out, but since I installed the free "WPBruiser" I did get ride of all the automatic submissions.

One of the things it does is precisely one of the suggestions: require some number of seconds (one can change it to any value) before allow the message to be sent... if sent before that: goes automatically to the log of the extension as being a blocked message and doesn't appear anywhere else... but for the submitter is like everything was properly submitted (they have no way to know what is happening on the background... for all they know it may just be that the human did not authorize the message to appear... since all are moderated by human).

I did find that 3 seconds is enough (there) to stop spammers.
They do have other things like "Blocks most dangerous IP addresses involved in brute force attacks, cross-site scripting or SQL injection", "Blocks most dangerous IP addresses associated with web proxies that shield the originator's IP address" but the time alone is what stops almost all the spam messages from ever even appearing in the control panel to moderate.

mylittleforum could have the same thing in the registration process (and normal post messages) and have a "Your account/ message needs to be approved by a administrator before it is authorized" message, that would be true for normal none protected accounts, the administrator would need to activate it, for protected with time delay submissions... that would appear for the submitter as being all ok, because they would still get the e-mail to activate the account... but the difference would be that the administrator wouldn't even see it unless he/ she would go to some underneath page hide somewhere... and because the default behavior is not to have any delay the submitter has no way of knowing about that defense mechanism. The system could then delete the account/ message automatically without even showing anything to the administrator (unless he/ she wants to manually see how much he/ she is not missing :) ). The message part could also display the administrator needs to approve it, and either be true or it just checks for the time and if it does match the minimum requirement can be schedule to be allowed in some random time period (3 to 35 minutes, for example, set by the administrator, and up to a 2880 minutes delay... so that legit messages don't get blocked for ever by mistake)... and the same to new registrations... can also have the same automated random delay of approval if it passes the time delay check... so that in reality the administrator doesn't do anything (but bots and humans don't have anyway of know that).

You can also have those blank fields (visible or invisible) don't fill me with anything or these registration will not succeed... but should allow the administrator to choose the message to appear, like "Web site:"... but have a message in the beginning saying in some dissimulated way that should not fill anything besides username and password for example.

Another thing is the personalized anti-spam messages! These are also good ways to stop automated spammers and, in some cases, even human spammers from others countries trying to register in 1000's of forums.
For example: "What is the original creator first name of the mylittleforum?" that is something easy to find on the wiki page of the project but that some random person from China probably won't find the answer in their preferred search engine... and probably a automated bot will also not be able to guess.

One thing that prevented the need, on my web sites, of any recaptcha/ image captcha solution at all was the use of a free javascript called "GateKeeper 2" (I still use it!) instead of allowing direct access to the registration you could have some interception page where the user would need to enter some special word, or number... in order to even get into the create account page (that could have some special different url for every installation such that automated and human spammers can't simple submit directly). By my experience it stops 100% of automated system from even getting there. The user needs to find that information on either the page it self, the terms and conditions, or in some blog post for example.
You can make it more complex, by allowing the administrator to remove the "register" link on top and give him some code like [register-new-accounts] and/ or a Link to be posted manually somewhere where the "register" mode is changed to any other thing the administrator chooses (ex.: hruiqr ) but even that is just to get into the interception page where the user enters the special word and then is redirected for example to the mode with the name called for example "rg2719" and maybe forum can even change it automatically every hour or so, or create a dedicated address for every individual session that bypass the interception page... so that it can't ever be reused again by another bot session since it can be linked to IP and some session cookie for example.


Complete thread:

 RSS Feed of thread

powered by my little forum