Thread

Hi Sue,
Understand your logic, and purpose… but in my head (and this might not be right) if i was to close registration, but keep existing members - i would disable the registration in preferences and keep the member module installed.
Whereas if i wanted it all gone i would just un-install it.

Perhaps that is just my round about user logic, as opposed to how it would be coded - but seems sensible. Especially as this module is not / was not tied into the admin member setup section as this universal (i.e. it works on the core version!).

Either way, as above, i have change it to a long un-guessable trigger word - lesson learnt!

Hello all here. I too was just about to start a new Post but saw this. I have a ‘global’ project that has been getting a lot of ‘spam’ registrations over the recent 2-3 weeks. I don’t want to have to continue adding ip addresses to a blacklist. I would like that this spam simply does not get through.

Basically, there is a the pattern in that email addresses are a name which has the first letters from the first and last name cut off, and then followed by a 2 or 3 digit number.

For example, registrations are:
User = Anthony Pickard Email = .(JavaScript must be enabled to view this email address),
User = Keith Flint Email = .(JavaScript must be enabled to view this email address), or
User = Bruce Duppstadt Email = .(JavaScript must be enabled to view this email address)

And so on.

From what I can gather from knowing my site and the form structure, it is the {url} field that is being found and the basis for abuse. (Clearly because of the SEO).

I am using SAEF forms. I am running 1.6.8EE.
I have Advanced Captcha extension running.

In my security and session preferences:
I have Process form data in Secure Mode set to ‘Yes’
I have Deny Duplicate Data set to ‘Yes’

I did have membership activation set to:  ‘Self-Activation by Email’ ... but have changed it in the past few days to Manual Activation by Administration in order to moderate. But this is also not what I want to have to do on an ongoing basis.

It appears that there has become a ‘hole’ in the system whereby expressionengine forms are recognised, contrary to captchas and I also have ‘validation’ on my forms.

I also have other forms but it is the registration on that is failing because it has the {url} field.

My site registration form is here:
NSJ Form

Is there any possible avenue that can help reduce / eliminate this spam as I don’t think it is sensible to put in place ‘hacks’ or rename input fields or remove the URL input field from the form just to stop this happening. This means Captchas are a complete waste of visual space.

Anyone with some thoughts here ... ???

Thank you.

Same problem here.  About 10 new fake registrations a day.  Captcha is being circumvented.

Same problem here.  About 10 new fake registrations a day.  Captcha is being circumvented.

Me too :(

I’m sure mods will correct me if I’m wrong, but I believe the best practice here is to lock down all possible config options (e.g. disallow auto-registration of new active members etc etc.) and then change the member trigger word to something absolutely ridiculous. I treat it the same as I would a secure password (mash-up of letters, numbers and symbols).

I don’t think it’s possible to turn off front-end member functionality completely, so this last step is important to stop crawlers finding the templates.

Not ideal, I’d prefer a simple “turn it off” option, but this method works.

For those that think Captcha is being cheated, it’s probably a crawler posting to /member/register/ rather than your custom register form.

There are two possible issues here that must not be confused: is the site accepting sign-ups, possibly secured with a captcha, and are spammers signing up? If so, this might be annoying but is no reason for concern.

If, on the other hand, you have turned off registering of new members and suddenly there are any, this might be worth investigating.