Spam Membership - How Does It Happen?
Development and Programming
Hi,
I don’t know if this is a problem in EE 2.x, but in EE 1.6.8, I have 300,000 spam membership records. Mr. Google let me know this is a long-known issue with EE, where people can register and it is not easy to turn off. Mr. Google is providing enough info regarding deleting the spam and using an addon to prevent the problem, but my question is: How does a spammer register on my site? I am new to supporting this particular site. I cannot find where there is a membership form people can submit to make themselves members.
Actually, EE membership is a blur to me at the moment. All I really know about it is setting up people via CP so they can edit the site.
So how are the spammers registering?
Any information would be extremely much appreciated.
Thank you, Dan
Mainly it happened because:
- Ability to register was turned on by default.
- The URLs of member related pages (register/profile, etc) were fixed by the system, so they were the same site to site.
This left the ability for a spammer to write a bot that would find EE sites, assume the URL’s of registration and profile pages, and be able to register with the intent of putting a link into the bio area of the profile page for SEO reasons.
Check the following on your site:
Add “member/memberlist” to the root URL of the site, after index.php.
Does a page come up?
There is also “member/register”
And “member/x” where x is the member_id.
If you haven’t already you’ll need to go into member preferences, turn off registrations, and change the Member Profile Triggering word to something other than /member” - like a long random string of characters and numbers.
And then clean out those spammers! 😉
Michael, thank you for replying, I was thinking of writing to you about this.
A couple days ago, I changed the member trigger word. No new spam since then. I deleted the extraneous records then too..
What I don’t understand is why nothing comes up with I hit my site/newmembertriggerword or site/newmembertriggerword.
Hopefully, changing the trigger word will be the end of new spam. I guess people can submit forms to that address and get them processed, even though nothing comes up when I look.
Thanks for giving me the sanity check I needed on this. My client will be very pleased.
Does the site use index.php yet?
Or possibly other .htaccess rules in place?
Ahhh, there you go. I forgot to include index.php, which this site does use. Now I see a member profile coming up.
Thank you, Michael, for demystifying this for me. This is a big load off my mind, my client will think I am awesome. lol. I will make sure to let them know who explained this to me.
No worries man…look like a champ to your client for figuring it out..😉
I thought you might get a kick out of this… my newest client let me know she uses “the Boyink category cross reference method” or something like that, definitely with your name on it. It is very cool, the client actually built her first site for her business, now needs another, knows how to do it from you, but she is letting me build it for her, since she doesn’t have the time. The internet makes the world a small place!
Hah - I guess my job is done then…;) Thanks for letting me know!