Settings and Software:

* Member Utilities is an important tool for managing members.  It makes up for many lapses in EE’s member management functionality, which hasn’t been updated in years.

* Changing your Profile Triggering Word in Membership Preferences will help cut down on “real person” spam.  I suspect this works because many of these spammers are using lists of registration pages assembled by bots. This is becoming less effective, but it is still essential.

* Banning IP ranges, especially from Asia and Eastern Europe, helps a lot.  This is a problem if you have legitimate users in those regions, however.

Two tips for manual purging of spammers:

* Spammers usually put a number in their usernames (e.g. bob66777) and Non-spammers usually do not. I suspect this is because spammers want a unique ID they can use across sites. It makes them easy to spot.

* Spammers often have email addresses at obviously spammy domains: .(JavaScript must be enabled to view this email address)

Good points, Barry - I also change the triggering word every couple of weeks.

Ideally, that Mother of all Utilities would have a waylaid page where folks from the suspect country could get steered and then send you a little email about why they are legit - or otherwise prove their mettle.

As to the email addresses with numbers - I noticed that some people mentioned that before. But I have a large quantity of legit users who have numbers in their email addresses! I think it is a throwback from AOL, when so many users had the aol.com extension that the only choice was to have numbers after your choice!

Wondering out loud here - that maybe the Mother of Registration Utilities could have a “delete with prejudice” button which had an API tied into:
http://www.stopforumspam.com/

A quick search showed some of the Spammers who tried to sign up with me recently to be in that db.

If moderators so desire, please move this to feature requests….

It might make more sense to set up a separate feature-request topic and point to it. Most of this topic consists of tips for fighting registration spam using EE’s current features and plugins.

It’s early yet… but this is what I’ve done for my EE 1.6x installations.  It seems to be working so far.

I imported the words.php file to my PC.
I did a couple of “find and replace” actions to put an “x” at the beginning and the end of each CAPTCHA words..  So… for example - the first CAPTCHA word went from “able” to “xablex”.

I exported the words.php file back to where it belonged… and so far this morning, when I was getting some 30 to 50 registrations a day - I’ve received none.

I did a “test” registration using the new CAPTCHA words (containing the exes) and it went through just fine.

I’m guessing the bots that spam register on EE sites may have a list of the default CAPTCHA words that come along with the install and go through all of those until they fine the one needed to process the spam registration.

I’d like to get the ja_reCAPTURE extension working for Registrations… but in the interim… this seems to have helped quite a bit… (fingers crossed)

gh

05Aug10 - UPDATE:  NO-GO   Back to the drawing board…

I ended up duplicating the Registration Form (external to the actual site)and put the reCaptcha on it.  It sends me an email and I review applicants and manually add them to my system.  It’s a pain in the @ss but we don’t have a flood of applicants most weeks… so until we get a better fix - I’m going with manual registrations.
http://northwestfloridaonline.com/registration/

06Aug10 - UPDATE: I had two registration requests in the past 24 hours.  Down from 100+ spam registrations on a normal day.  One of the two was someone who forgot they’d registered 2 years ago (same email address kicked out error)... so I just sent them their old login and they were happy.

To add to all of this, Purple Dogfish have updated their Accessible CAPTCHA extension to be EE 2 compatible.  You can make up your own questions, as well, which certainly should help =)

I’ve had great success using the Accessible Captcha extension. I was so glad to see it updated for EE2!

I also just whipped up an extension to handle registration/invitation codes. If it’s appropriate for your site, you can restrict new registrations to only users with a valid registration/invitation code. The Registration Codes extension is available on Devot:ee now.

Also, as previously mentioned, removing the “Powered by ExpressionEngine” footprint from your profile themes goes a long way. I believe the files to edit are copyright.html and html_footer.html in the default profile theme.

(Wikified: http://expressionengine.com/wiki/Fighting_registration_spam/)

Awesome, Michael.  Thank you! =)

We are fighting this as well. All of the human readable/interaction solutions help somewhat but we have found that a group out of India has a staff of people processing spam members on EE sites. Many of which link back to Real firms in the US outsourcing SEO to this company.

We are still at a loss on how to solve this.

Michael Hahn - 11 August 2010 01:45 PM

We are fighting this as well. All of the human readable/interaction solutions help somewhat but we have found that a group out of India has a staff of people processing spam members on EE sites. Many of which link back to Real firms in the US outsourcing SEO to this company.

We are still at a loss on how to solve this.

I think one has to be careful of trying too hard…that is, trying to trap people before they register as opposed to after.

My newest strategy is to let them register - of course, slowed down somewhat by the changing of the trigger word for the forum registrations.  Then I have two quick online reports I look at…..
1. the first is anyone who posted something in the bio or url section - I delete the offenders immediately.
2. the second has a list of ALL registrations in descending date order…..this offers me a quick look, and lookups, to check their IP and location (I have location as a field in the registration) against their claim AND to check them against the Stopforumspam.com database.

That is a nice db, BTW - it has caught a lot of the folks who I suspect.

I immediately delete any who are in India, China, Vietnam, etc. because that does not fit my forum profile - I immediately delete any who are in the stopforumspam db.

The entire process above takes less than 2-3 minutes per day, which is less than any other method I have used. This is for a forum with 20,000 members, so it is not too bad.

Michael Rog - 10 August 2010 07:39 PM

Also, as previously mentioned, removing the “Powered by ExpressionEngine” footprint from your profile themes goes a long way. I believe the files to edit are copyright.html and html_footer.html in the default profile theme.

also if you are using a Forum module consider:
http://expressionengine.com/archived_forums/viewthread/140259/
http://expressionengine.com/archived_forums/viewthread/85807/

The effectiveness of changing the member trigger word continues to decline as the spammers get either smarter or more numerous. I’ve hit upon another technique which is working for me and will work for some other community sites.

I’ve added a new required field to the registration page: “What community do you live in?” Anyone who lives in the (geographical) community I serve can answer this question easily, but it stops spammers cold.  I’ve noticed a drop-off in the number of registration spammers and the ones who go ahead and answer the question have been answering with obviously wrong answers.

Like I said, this won’t work for most sites, but it might work for yours.

I’ve been thinking about blocking IP addresses when we receive multiple registrants from the same IP. After the member status they’ll go to an ‘isolation’ status for manual approvement. When even more registrants come in, the IP address is blocked.

On the website itself, we actually need a module that comments by newbees are always moderated. Once they appear to be a comment spammers, the comments are deleted, their account is banner and their IP address is blacklisted (and shared with the community, like the Low NoSpam module).

Erwin

Absolutely.  I’ve blacklisted a ton of Asian and RIPE IP addresses which have been spamming me. I also moderate all new user comments. I change my member trigger word as soon as I get more than one spam on any day.  And I use Member Utilities—http://devot-ee.com/add-ons/member-utilities/—to isolate bad registrations daily.

And still they come.

EE’s membership system is in serious need of an overhaul.

Barry Parr - 21 October 2010 04:17 PM

...

EE’s membership system is in serious need of an overhaul.

That it is…
To be honest, user registration is no longer automated but rather paid for as a cheap labor of ‘SEO Consultants’.

To be honest, user registration is no longer automated but rather paid for as a cheap labor of ‘SEO Consultants’

Agreed. I’ve been able to keep the bots and Asian boiler rooms from registering on my site. So, mostly I’m dealing with US-based small time SEO weasels. But this means more manual culling of memberships, and that’s why the tools need to be improved.