Thread

As the popularity of community sites grows, registration spam increases across all platforms that have public member profile pages, including default installations of ExpressionEngine.  Spam is an icky, dirty marketing practice that seemingly will never go out of style and will never be completely thwarted.

Many of you are experienced with using ExpressionEngine’s tools to combat comment and forum spam, but I wanted to share with the community some ways to combat registration spam.

Onwards . . .

Thanks for the suggestions.
A tool that would really help would be one which had various options based on the registration IPs.

Such a tool could use IP lookup services to list the location of the registrant so the admin could see before approval.

I find that most of the current spammers are overseas in certain areas. In my case I might want to add a rule which says “OK all Canadian and US registrations, but let me personally look at and decide on activation of the others”.

For now I have switched to manual activation - which means I must look at the email address, bio and profile(if any was entered)  and/or IP and try to suss them out. It’s not too hard when they are at .(JavaScript must be enabled to view this email address) (for real).

As part of the anti-spam initiative method wouldn’t it be worth considering turning “off” member features in a default install? Most notably “Allow new registrations” could be set to “No” by default to prevent any public registrations unless specifically activated by a site admin.

I recall previous discussions of the undesirability of publicly displaying member profiles;
as a result of these discussions, the default public display of member profiles was turned off. 
However if users have upgraded from a version of EE prior to the change in default then
their member profiles will still be public (unless they’ve manually changed the default).
How to turn this on / off should be easy to find in the documentation.
I can’t see it in the page that discusses “member profile trigger word”.

from current experience - i can say for sure the current capture used by EE1.6 is easily broken, and verges on pointless. My preference here would be for a vastly improved default captcha / system.

Many people, new users, or developers will use that which is default of the system as they trust EE’s secure by default approach. But in this case, EE has not kept up, or made any improvements for as long as i can remember and relying on external plugins for this is a little - well in my eyes lazy. It is not a direct criticism, but more a nudge, whinge, moan, or complaint - i, like others i have spoken to would like somehting done.

Yes people can bounce off tot he wiki, or go get third party extensions, read multiple articles, make multiple changes to the system to get a better set of results… but being idealistic - wouldn’t it be nice for us not to have to do that for a paid product?

EE2.0 probably has stepped up to the plate and made many improvements - but with probably 99% of your users on 1.6 range - as we are still not out of beta for 2.0 those changes have not helped us yet!

How to turn this on / off should be easy to find in the documentation. I can’t see it in the page that discusses “member profile trigger word”.

The “profile triggering word” can be set in Admin > Members and Groups > Member Preferences.

“How to turn this on / off should be easy to find in the documentation” referred to public display of member profiles.

To explain: EE does not (by default) warn a dumb user who is registering as a member to select a
screen name alias that is different from the username.  The reason why this is so important is that
if member profiles are public, and someone’s screen name and user name are the same,
then all a hacker has to do is guess the password in order to hijack the account.

> you can stop your member list pages being indexed by turning off the Guest Member Group’s ability to view Public Profiles.

If I recall correctly, this used to be on by default—all members’ profiles were automatically public—but the default was changed.
However the ideal would be for EE to check if screen name alias and username are the same for anyone who has, or is given,
posting or administrator privileges, and to warn both the person concerned and the system administrator.

I am also of the opinion that a number of anti-spam tools should be built in (1st party) extensions and modules, as “security” has always been the strong suit of EE and this functionality should not require installing extras.

I’m on the rampage getting rid of this new crop of back linkers! In general, this new crop consists of English speakers (or at least readers and writers) from countries all over the world who try to post backlinks….often a couple days after registration. Captcha does not stop them because they are human. I may try the alternate question and answer thingy, and relate the question to my site theme. That may stop a few.

It is too soon to tell, but I think changing the member trigger word slowed them down. The reason may be simple - the exact URL to your (and our) registration pages are published on “get rich” lists all over the internet, and then distributed to many thousands of people. You can often find yours by doing a google link search!

So just by changing that trigger word once in a while, you might get a reduction…...I’ll report back later, but I was dealing with about 10 or 12 spam registrants per day….so if it goes down to 2 or 3, I’ll be happy!

I have moved to manual activation as noted. That helps. Even if I activate a questionable one, then I have a SQL script (it’s here somewhere - another member posted it) which lists all the registrations in date order and shows the bio and url….and has a DELETE link. So if I don’t get them before, I get them really soon after.

I wonder if Google actually demerits the sites these links point to? Given their claims about algorithm, they surely should be able to suss out the fact that lots of back links in forums to unrelated sites means something bad….....

The best way to deter member registration spam is to remove all references to ExpressionEngine from your templates. Especially in the registration and forum templates.

It’s the footprint that gives your EE site away.

You are correct about that!
That might be another feature that can be rolled into EE in the future - the ability to remove all those refs with one click in the CP.

It seems sort of strange to worry about security and then advertise yourself to bring on the monsters…......

Thank you to everyone for the feedback, this is a great discussion and there are many great ideas herein.

i think you can remove certain elements - i remember the old phpbb1.x string at the base of every forum being used to find vunerable forums to hack - google ended up blocking search strings at one point.
But there is always somehting within the html, structure of a sentence, file name, image name or alt tag that people can use to identify scripts - so this is going to be very hard indeed…

but everything helps, thats for sure. Something is certainly pulling in automated bots that can beat the default captcha. Changign the captcha brought down the spam registrations by 90% - and the ones that are left are clearly manual - impossible to beat!

It would probably be feasible for EE version upgrades to do certain security checks—
e.g. check if member profiles are public, and check if screen name alias and username
are the same for anyone who has posting or administrator privileges—and display a warning
(plus a link to instructions how to turn off public member profiles).

The best way to deter member registration spam is to remove all references to ExpressionEngine from your templates. Especially in the registration and forum templates.

It’s the footprint that gives your EE site away.

I’ve had some success changing the CAPTCHA words, too.

Well, reporting back on the human back linkers…..changing the forum trigger word seems to stopped 90% plus of them. I’m happy for now….but the battle is never ending. I also purchased and installed Gregs utility for further fun!

It’s no big deal to change that forum triggering word every once in a while once they figure out the registration URL. In fact, that might be a neat future feature of extension - something which randomly changes that word ever “x” days, etc.

The thing about spammers is that if they find other easy targets, they are likely to go away. It’s not like they sit around trying to break into YOUR board…or at least most of them. I suspect these back linkers get paid very little - less than $1 per registration and back link - which means their determination is lacking.

An interesting discussion is whether those who have never posted should be deleted. I have not thought it through, but can anyone suggest why or why not? In my case, they can read all the forums without registration…so that is not a reason to register.

Oh, BTW, in my aggressiveness during this recent bunch of spam attacks, I accidentally deleted at least two good members! That is a bad thing, even on a board like mine with 20,000 members. I had to write them sad notes of apology.