Thread

Hey, I had a quick note about a good tool to help with Registration Spam. Currently the “Admin Notification of New Member Registration” doesn’t have the Member’s URL as a variable that can be included in the Notification.

Just even being able to notice in your inbox that “hey this guy just registered with this spammy-lookin’ URL” would be very helpful…

The membership trigger word kludge has run its course, and we’re facing a potential crisis.

I’m sure my registration spam problem would be worse without it, but I’m now getting a couple of registration spams per day, even when changing the trigger word a couple of times a week. Does anyone doubt that this trickle will soon be a torrent?

I’ve been posting about this problem since February, I’ve offered some suggestions (dynamic trigger word, better membership management tools), and we’re not getting any help.

It’s unfortunate that this problem has become serious in the middle of the ongoing release of EE 2.x, but the remedies offered in this two-month-old post are no longer adequate.

I am referring to the EE2 extension linked in my original post. I tested it and it worked in the registration form without problem.

I installed the reCAPTCHA for EE2 and all seems to be working, but when I type the two words they are never correct!?

Did I miss something?

Hi, Gnuus -

Please feel free to contact the author if you need support on it.  I understand he’s an awesome guy and very friendly.

I suspect, though, that you have either rapidly rotating IPs or a proxy/firewall that’s interfering with the submission.

Hi,

Is there any way to prevent real people spammers to register? I am using recapcha in my registration page but still there are spammers registering. Please let me know any idea how to prevent them.

Thank you in advance,

There is no real difference between a person who means well and one that does not! No software can flush this out.

Here is my current system, which works pretty well for now. At the bottom of this post, I listed some items which, in the future, would make things even easier.

1. People can register, but I have to approve them afterward (manual activation)!
2. Before I approve them, I look at an EE custom template (idea from this or similar thread) which lists them and any URL or bio they happened to enter. It also lists their IP and allows me to look it up.
See screen shot enclosed.
This provides a first defense. Note that I can come back here later in order to nab those who post spam URL backlinks later…....since they are displayed as the newest on top, I can get them anytime within a month or more!
3. If they have link spam I delete them from that screen. If their IP or email is really suspect I will delete them. I have not had a single complaint about these deletions - which may mean I am on target - most forums have subjects which are specific to countries or regions…..
4. I use the member utilities module
http://devot-ee.com/add-ons/member-utilities/
to be notified when anyone changes their URL or bio.
5. Every once in a while, I delete a bunch of members who registered a couple month ago and never visited the forums…...not even once!

This seems to be doing a pretty good job…all in all.

It would be really nice if either EE or a developer wrote the “mother of all registration utilities”. Such a module would include stuff like:
1. The IP lookup and options for IP’s from certain countries (some would be disallowed, others suspect until approved, etc.)
2. Some kind of rating on their email address - I wonder if Google shares their data about which domains tend to send spam, etc.
3. Various built in filters to act on parts of the members - for instance “delete members who registered between these dates and never posted even once”, etc.
4. A setup of the above and member utilities designed for speed of use - keeping in mind many of us have 10 or more signups per day.

I think we will see such utilities now that most of the EE2 basics are done….it would be nice for EE to be the real leader in this type of admin-friendliness.

Oops…....can’t attach pics any more, it seems…....
http://www.hearth.com/~hearth/spamfight.jpg

Settings and Software:

* Member Utilities is an important tool for managing members.  It makes up for many lapses in EE’s member management functionality, which hasn’t been updated in years.

* Changing your Profile Triggering Word in Membership Preferences will help cut down on “real person” spam.  I suspect this works because many of these spammers are using lists of registration pages assembled by bots. This is becoming less effective, but it is still essential.

* Banning IP ranges, especially from Asia and Eastern Europe, helps a lot.  This is a problem if you have legitimate users in those regions, however.

Two tips for manual purging of spammers:

* Spammers usually put a number in their usernames (e.g. bob66777) and Non-spammers usually do not. I suspect this is because spammers want a unique ID they can use across sites. It makes them easy to spot.

* Spammers often have email addresses at obviously spammy domains: .(JavaScript must be enabled to view this email address)

Good points, Barry - I also change the triggering word every couple of weeks.

Ideally, that Mother of all Utilities would have a waylaid page where folks from the suspect country could get steered and then send you a little email about why they are legit - or otherwise prove their mettle.

As to the email addresses with numbers - I noticed that some people mentioned that before. But I have a large quantity of legit users who have numbers in their email addresses! I think it is a throwback from AOL, when so many users had the aol.com extension that the only choice was to have numbers after your choice!

Wondering out loud here - that maybe the Mother of Registration Utilities could have a “delete with prejudice” button which had an API tied into:
http://www.stopforumspam.com/

A quick search showed some of the Spammers who tried to sign up with me recently to be in that db.

If moderators so desire, please move this to feature requests….

It might make more sense to set up a separate feature-request topic and point to it. Most of this topic consists of tips for fighting registration spam using EE’s current features and plugins.

It’s early yet… but this is what I’ve done for my EE 1.6x installations.  It seems to be working so far.

I imported the words.php file to my PC.
I did a couple of “find and replace” actions to put an “x” at the beginning and the end of each CAPTCHA words..  So… for example - the first CAPTCHA word went from “able” to “xablex”.

I exported the words.php file back to where it belonged… and so far this morning, when I was getting some 30 to 50 registrations a day - I’ve received none.

I did a “test” registration using the new CAPTCHA words (containing the exes) and it went through just fine.

I’m guessing the bots that spam register on EE sites may have a list of the default CAPTCHA words that come along with the install and go through all of those until they fine the one needed to process the spam registration.

I’d like to get the ja_reCAPTURE extension working for Registrations… but in the interim… this seems to have helped quite a bit… (fingers crossed)

gh

05Aug10 - UPDATE:  NO-GO   Back to the drawing board…

I ended up duplicating the Registration Form (external to the actual site)and put the reCaptcha on it.  It sends me an email and I review applicants and manually add them to my system.  It’s a pain in the @ss but we don’t have a flood of applicants most weeks… so until we get a better fix - I’m going with manual registrations.
http://northwestfloridaonline.com/registration/

06Aug10 - UPDATE: I had two registration requests in the past 24 hours.  Down from 100+ spam registrations on a normal day.  One of the two was someone who forgot they’d registered 2 years ago (same email address kicked out error)... so I just sent them their old login and they were happy.

To add to all of this, Purple Dogfish have updated their Accessible CAPTCHA extension to be EE 2 compatible.  You can make up your own questions, as well, which certainly should help =)

I’ve had great success using the Accessible Captcha extension. I was so glad to see it updated for EE2!

I also just whipped up an extension to handle registration/invitation codes. If it’s appropriate for your site, you can restrict new registrations to only users with a valid registration/invitation code. The Registration Codes extension is available on Devot:ee now.

Also, as previously mentioned, removing the “Powered by ExpressionEngine” footprint from your profile themes goes a long way. I believe the files to edit are copyright.html and html_footer.html in the default profile theme.

(Wikified: http://expressionengine.com/wiki/Fighting_registration_spam/)