HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Spambots Bypassing Application Process

Hello,
I'm the owner of the site wyomingbronies.com. Unfortunately we've been a huge target of spambots lately. I disabled all external methods of authentication and only allow users to apply for membership. Unfortunately it seems there's a bug somewhere as the spambots are still bypassing the authentication process and are able to register. They then use their profile page to paste links for SEO. I've tried CloudFlare to try and mitigate these attacks, but unfortunately around 15 new accounts are made per day regardless and my list of banned IPs is growing every single day. All the users created by the spambots still need their emails confirmed, but can still post to their profile page. I'm left there wondering why I don't have permission to disable users from posting stuff on their profile until their email is confirmed. I'm seriously considering switching off of Vanilla if there isn't a solution to these problems.

I'm running Vanilla Version 2.0.18.9

UnderDog

Comments

  • peregrineperegrine MVP
    edited December 2013

    @TheTux2

    still need their emails confirmed, but can still post to their profile page.

    Unfortunately it seems there's a bug somewhere as the spambots are still bypassing the authentication process and are able to register

    perhaps the only bug is that you don't have your role privs properly set up. A forum administrator can correctly set up permissions for any role.

    you need to correct your permissions unconfirmed e-mail and also not show profiles to unconfirmed e-mail.

    you need to tune your forum permissions for roles and add some plugins to prevent spam.

    you might also want to list all the plugins you are using.

    http://vanillaforums.org/discussion/25403/spam-attack-how-to-deal-with-spammers

    http://vanillaforums.org/discussion/24785/poll-which-registration-method-and-plugins-do-you-use-to-deter-spammers-and-their-efficacy

    confirm e-mail role could be tightened up by only allowing view for discussions checked and signin allow checked. everything else unchecked in that role.

    I'm seriously considering switching off of Vanilla if there isn't a solution to these problems.

    if the spam-related plugins and role permission don't help, it may be because you are not setting them up properly and not a fault of vanilla.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDog
  • Yo add to peregrine point, you can make your site less attractive to spammer by only making privately available.

    grep is your friend.

    UnderDog
  • hgtonighthgtonight ∞ · New Moderator

    There is an known "feature" in 2.0.x that being able to view profiles can comment on the activity.

    Remove the Profiles.View and Activity.View permissions from Guest, Unconfirmed, and Applicant roles.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • @TheTux2 sorry that those damn spammers are attacking your site.

    Install the plugins that peregrine recommended to make it easier to clean them.

    The privileges are your tools to deal with the spammers. Follow the advices that were given above me and let's see if the number of spammers go down ....

    For problem solvers, helpers ... these questions are interesting. For site owners the spammers are annoying of course...

    The interesting part is : will the available tools be sufficient to deal with these spammers?

    peregrine
Sign In or Register to comment.