HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

recaptcha

RajioRajio
edited June 2011 in Vanilla 2.0 - 2.8
so recaptcha doesn't seem to be stopping spam accounts from being registered. i'm getting about 20 a week signing up (neverposting though) by defeating recaptcha. the only sollutions i'm finding are setting my forum to approval-based (i only get 2 spam accounts attempting to sign up a week if i do this) or invitation based.

what can be done about this? I'd like to keep open registration.

Even a better way of dealing with teh spam users (easier bulk deletion?) would be good.

Comments

  • ToddTodd Chief Product Officer Vanilla Staff
    Yup, I guess Vanilla is on the map and Recaptcha has been defeated :(

    We'll be addressing spam more and more in upcoming versions, including the features you are asking for.

    One thing I'd suggest is email confirmation which is new in 2.0.18. The spam bots can register, but they will probably never enter their email addresses. We'll have bulk user selection/deletion in an upcoming version or you can delete users that have registered but not confirmed in phpMyAdmin or something like that.
  • I had this problem as well, until I modded my registration process to poll StopForumSpam.com's servers, and this dramatically cut down the number of bot registrations. And I only polled StopForumSpam with the user's e-mail address (or was it the IP address?) rather than polling it with the username, e-mail address, and the IP address, because I was afraid of false positives.

    Of course, when I updated to 2.0.17.9, that custom code (just a few lines) got replaced, and I never got around to re-adding the code, so the bots have been registering again.

    More on StopForumSpam here: http://stopforumspam.com/apis
  • @Todd, great to know. I'll be transitioning to 18 once its out of beta.

    @Shmizzle interesting, I'll look into it. thanks.
  • ToddTodd Chief Product Officer Vanilla Staff
    edited June 2011
    Hey! We have a stopforumspam plugin about to be released! Anyone want to help test:

    https://github.com/vanillaforums/Addons/tree/master/plugins/StopForumSpam

    This needs 2.0.18b+.
  • ShmizzleShmizzle New
    edited June 2011
    Hey Todd, look forward to the plugin (I'm using 2.0.17 so can't test it out).

    Suggestion: it'd be cool if you could configure what gets sent StopForumSpam. i.e., only e-mail addresses, or IP addresses and usernames, etc.
  • ToddTodd Chief Product Officer Vanilla Staff
    I just put StopForumSpam on this site and it's stopping a tonne of bots. It's causing me to scramble with the spam UX because some bots try and register 20+ times. There are currently 85 attempts blocked since 2pm.

    My current dev version has the attempts grouping by ip so it should be nicer.
  • ToddTodd Chief Product Officer Vanilla Staff
    @Shmizzle, I send both email and ip. I block registrations if the email has been reported more than 50 times or if the ip address has been reported more than 5 times.

    I don't send usernames. It seems as though everyone has a username that is blacklisted in the StopForumSpam db.
  • Thanks for the SFS plugin @Todd

    This is a huge asset for blocking spam bots, I've been utilizing the service on my other websites. Could you allow us to customize the threshold of email/IP reports required to block?
  • lucluc ✭✭
    Thanks for the SFS plugin @Todd

    This is a huge asset for blocking spam bots, I've been utilizing the service on my other websites. Could you allow us to customize the threshold of email/IP reports required to block?
    From what I see on github, not possible apart from editing the code (on github it's set as 5 and 20), but Todd said he already changed it to 50.

    Shouldn't be too hard to create a settings page for this.

  • ToddTodd Chief Product Officer Vanilla Staff
    edited June 2011
    I may add config or wait for a pull request. This IS an open source project.
  • Yeah, the more that I think about it, probably no need to spend time adding the config for now at least, as it's easy enough to modify it to only send what you want it to send.
  • this has me excited to get .18 installed
Sign In or Register to comment.