Spammers getting through registration

tsj

Hi there

I seem to be getting some spammers by-passing my registration. Nothing has been posted up to the fourm as yet, but they are appearing as users.

I'n using the Approval method for registration - New users are reviewed and approved by an administrator. I am the only person with rights for this. This seems to be fine - spammers are appearing here, but I get to cut them off before they gain access, as the first image show.

The strange thing however is the second image. I go to my user list, I'm getting around a dozen spammers a day appearing here. I can detect these because their first and last visit is almost identical time wise. These ARE NOT names that I have approved. I have to go in and manually delete these.

Weird.

Any ideas?

Many thanks

Image 1

Image 2

Aolee

what version pls?

tsj

2.0.18.4

Thanks

Aolee

do you have recaptcha enabled?

Todd

Do you have any other registration methods enabled such as twitter or facebook?

tsj

I do have an account, but it's not an option though for the Approval method of registration, only Basic. I'm not against changing to this if it means cutting out the spammers somehow getting in through the backdoor, but I quite like the Approval method, which was working. I like getting the emails telling me that someone has applied to join.

Is it possible roll out recaptcha with the Approval method?

Many thanks...

tsj

Todd - no, twitter and facebook are both disabled. Really strange how these spammers are signing up without me getting to approve first.

peregrine

I would run through the permissions table again and

assuming there is no flaw in the approval process.

1) see who has admin privs.
2) change all the passwords for admins.
3) change the password for your vanilla database users.
4) verify permissions on all directories
5) remove all plugins and download new versions.
6) look for any strange code or programs in your directories.
7) check your plugins against any known hacks.
8) http://vanillaforums.org/discussion/19285/security-vulnerability-flagging-plugin-2-0-18-2-and-earlier
9) do you have custom applications
10) what theme are you using.
11)

and you might want to list your plugins

check for vulnerable plugins:
http://www.google.com/search?q=site:vanilla.org+xss

peregrine

if for some reason you db tables are a bit suspect.
easier than a visual check

you could run this in mysqladmin

  SELECT `RoleID`
    FROM `GDN_Permission`
    WHERE (
    `Garden.Users.Add` > '0'
    OR `Garden.Users.Edit` > '0'
    )


for all the role ids that are returned with those privs.

e.g. if 16 and 33 are returned, the use

SELECT `UserID` FROM `GDN_UserRole` WHERE RoleID = "16"   
SELECT `UserID` FROM `GDN_UserRole` WHERE RoleID = "33"   

this will give you the userids with those permissions.

tsj

Hi there

Thanks for all the help and advice above. I've tried everything suggested, yet sadly the spammers are still getting through.

My theme is: Vanillaversion 2.0.18.4by Mark O'Sullivan, the default theme.

It's really weird. I'm catching some spammers in the usual way through the Approval method of signing up. Viagra, XXX, Britney etc given as reasons for wanting to join. But then when I look at my user list and sort it so that Last Visit is at the top, there are new spammers already there as members that I haven't approved.

I'm catching them all manually - it would just be good to try and work out how it is happening and then plug it up.

Thanks

peregrine

once again what plugins do you have enabled?

peregrine

also

what do you have in your dashboard with respect to this

is this checked.
Require users to confirm their email addresses (recommended)Email

what confirmation role do you have - is it guest.
Confirmation Role

did you import your data from another forum or was it a new install?

what is the role id for your confirmation role?

tsj

Hi there

Enabled plugins and Dashboard:

tsj

Plus the data was imported from a previous install.

Todd

There's your problem there. You need to do the following.

1. Create a new role called Verify Email

2. Give it permission to sign in, but don't give it the ability to post.

3. On the registration page select this new role instead of Member.

What is happening is people are getting the member role as soon as they apply. Some are confirming their email address and going to the applicant queue, but others aren't and they are full members.

tsj

Wonderful!

Thanks Todd and peregrine for your patience with this.

I've set up the new role and will sleep on it. I'll see if any spammers get through overnight.

Many, many thanks again. Really appreciated.

fh111

we had this happen as well in the last few days. did not expect that to become an issue, so we had a special role assigned for users that gave them too many permissions. fixed that.

tsj

They're still coming through in my overall members list, albeit with the new role assigned.

Is this right?

Thanks

peregrine

well they won't be able to post will they if the verify email role is forbidden to post. Your quarantine area.

you could just watch the ip addresses and block a certain octet. especially if it is from a different country and the spammers use that octet, especially of none of your members are using that octet.

But I think what you have is the nature of things - they are in the quarantined area. Best to enable the captcha if you want to block the bulk of them. You can use the same approval process with it.

Todd

What you are seeing is correct though. You will get a bunch of spammers sitting in the confirm email role, but they won't be able to do anything.

Once a user confirms their email then they show up in the approval list.

fh111

can they change profile information?

i noticed one of those spammer accounts placed a link on their profile .. a link to myspace

her is my Homepage

http://myspa...

and so on

that was before i switched the assigned role to 'confirm email'