HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Disable registration to deal with persistant spam attacks

I maintain a community forum for a plants wiki here: http://practicalplants.org/community

After almost a year online we've finally found our way onto some automated spam lists and we've started getting a substantial amount of fake user registrations and spam posts. Since we use a custom SSO solution to share logins between MediaWiki, Vanilla and Wordpress, and we've always hidden the local registration option, I figured I could just disable local user registration, which the spammers are obviously submitting fake data to directly. I selected the "Connect" option in Dashboard > Registation which states "New users are only registered through SSO plugins".

This works in the sense that http://practicalplants.org/community/entry/register now just redirects to the main discussions page, but the spammers are still able to register local forum accounts and are still spamming. The users are not being registered via our SSO app, the spam accounts exist only in the Vanilla user database. Presumably they're submitting an automated POST request directly to the relevant endpoint in the application, and the "Connect" registration option doesn't actually disable this.

Does anyone know a workaround or solution?

Thanks!
Andru

UnderDog

Comments

  • I should add that the SSO solution uses ProxyConnect on the vanilla side of things, and that I'm on version 2.0.18.8

    UnderDog
  • peregrineperegrine MVP
    edited June 2013

    I don't use either of these plugins. But it does seem like a good question, hope you get an answer.

    but if you think somehow they are bypassing things and getting to registration views.

    you could copy
    applications/dashboard/views/entryregisterclosed.php to
    your themes's views

    and then make a copy of registerclosed.php in your themes views and call it
    registerbasic.php

    and then make a copy of registerclosed.php in your themes views and call it
    registercaptcha.php

    and then make a copy of registerclosed.php in your themes views and call it
    registerinvitation.php

    and then make a copy of registerclosed.php in your themes views and call it
    registerapproval.php

    and so on for all the registration methods.

    so in

    /themes/YOURTHEME/views/entry

    you would have
    registerbasic.php
    registercaptcha.php
    registerapproval.php
    registerinvitation.php

    you would presumably need to do this with your mobile theme also.

    this will prevent any registration, even if you know the link.

    you could also add a logger to see what ip is attempting to get there, if they are indeed getting there.

    If you still have issues, it is not a problem thru the registration process and occurs somewhere else.

    are the spammers actually becoming members????

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    TamahgtonightUnderDog
Sign In or Register to comment.